This talk is a war story from the frontlines of API security. It recounts an in-depth assessment that began with minimal privileges and escalated into a full administrative account takeover. Starting from a grey-box testing scenario with a simple user account, the narrative unfolds the discovery and chaining of critical vulnerabilities—broken authentication, broken authorization, and insecure password reset mechanisms—into a comprehensive killchain.

Rather than delving into technical explanations of these vulnerabilities, the session emphasizes the critical lesson learned: the necessity of integrating robust security practices into every phase of the Software Development Life Cycle (SDLC) for internet-facing APIs. Attendees will gain insights into how attackers can chain seemingly minor oversights into a devastating breach, underscoring the high stakes of API security and the imperative for proactive, secure development practices.

Join me for an engaging exploration of this real-world example, and learn actionable strategies to safeguard your digital infrastructure against sophisticated, multi-stage attacks.