2. Introduction
■ Nutan Kumar Panda
■ Aka @TheOsintGuy
■ Senior Information Security Engineer
■ Osint Enthusiast
■ Presenter at BH US/ BIU Israel/ GroundZero Summit/ CISO Summit etc
■ Co-Author of book “HackingWeb Intelligence ”
■ Contributor of DataSploit project
■ Active Contributor of null BangaloreChapter
3. What can you expect?
■ BasicTheory
■ My personal Experience
■ Approach
■ Tools to trade
■ Test beds
■ One Example to think out of the box
■ Some Common Findings
■ Hands on Demos
6. Approach
■ Do not jump to testing by getting an end point or set of end points
■ Ask for the documentation
■ Ask for the sample request response/ Postman collection
■ Ask for any particular header needed
■ Ask for token or any specific parameter or values for a parameter (to get in right flow)
■ Ask for the workflows (Sometime workflows are bound you can not direct jump to a
web services and test you need some data that u get from other end points)
■ Its not only about fuzzing parameters
7. Tools to trade
■ ReST Client (Plug in)
■ Postman (App and Plugin)
■ Burp (ZAP/ Charles/ IronWASP or any other interception proxy)
■ Hurl.it (Online rest client)
■ SoapUI (https://www.youtube.com/watch?v=XV7WW0bDy9c)
■ Fuzzapi (https://github.com/lalithr95/Fuzzapi) Just presented just day before at AppSec
USA by Abhijeet n Lalith
– http://www.slideshare.net/AbhijethDugginapeddi/automated-api-pentesting-using-
fuzzapi
– If you like this tool just spread the word with #fuzzapi
10. Common Finding
■ Enumeration
■ Rate limiting not implemented
■ Information Disclosure
■ POST to GET conversion (Method Conversion)
■ IDOR
■ SQLI
■ Authorization Flaws
■ Token related issues (Expiry, reuse, predictable etc)