APIs serve as the foundation of modern applications, facilitating seamless data exchange and integration. However, their widespread adoption has also made them a prime target for attackers. This talk will take a deep dive into API security from an offensive perspective, demonstrating how adversaries discover, exploit, and escalate API vulnerabilities.

We will begin by establishing a solid understanding of API reconnaissance, showcasing techniques for discovering exposed endpoints using tools like Shodan and Google Dorking. From there, we’ll transition into the vulnerability discovery phase, examining common weaknesses such as SQL injection, authentication flaws, rate limiting misconfigurations, and excessive data exposure. Through live demonstrations with tools like Burp Suite, attendees will gain insight into how these attacks are carried out in real-world scenarios.

The session will also emphasize Open Source Intelligence (OSINT) and its role in API attacks. We will explore how attackers leverage OSINT tools like Maltego and theHarvester to gather critical information about API infrastructure, users, and potential weak points.

Finally, we’ll shift the focus to defensive strategies, covering essential security measures such as strong authentication, proper authorization mechanisms, input validation, rate limiting, and real-time monitoring. By understanding the offensive mindset, security professionals and developers can better anticipate threats and implement robust protections against API-based attacks.

This talk is designed for red teamers, security engineers, developers, and anyone interested in API security. Attendees will leave with practical insights and actionable techniques to enhance both offensive and defensive API security strategies.
Key Topics Covered:

- Reconnaissance: Discovering exposed APIs and endpoints
- Finding Vulnerabilities: Identifying and exploiting API weaknesses
- OSINT for APIs: Leveraging public data to enhance attacks
- Hands-On Exploitation: Demonstrating real-world attack techniques
- Defensive Best Practices: Strengthening APIs against threats

By the end of this session, participants will have a red teamer’s mindset when approaching API security—understanding not only how APIs are attacked but also how to build stronger defenses to mitigate these risks.