F5 Lab Day API Security: Capture the Flag

Are you ready to roll up your sleeves, crack a Red Bull, and see if you have what it takes to Capture the Flag?

Join the F5 DISA team for an interactive Capture the Flag competition where you will compete against others to hunt for API vulnerabilities and learn how they work. See who has what it takes to identify vulnerable APIs and ultimately Capture the Flag!

In this lab and Capture the Flag exercise, you will learn how to identify and mitigate:

• Hard-Coded Secrets: Many applications exchange user credentials for a hard-coded token or key. This key allows anyone who knows it to gain access to the application, however, many times these keys have no expiration, allowing a user to completely circumvent the authentication process.
• Broken Authorization: Providing blanket access to the API keys has proven detrimental to multiple mobile and web applications. Malicious users have used such blanket access to get ahold of confidential data belonging to others.
• Data Access Control on User Interface (UI): Time and again we have seen implementations where APIs pull more data from a server than an app is authorized to share, so even if the app’s UI filters this information from the user, attackers can access and exploit this data.
• Security Check for User Interface (UI): Over the last few decades, we have learned that no entry made by the client should be blindly trusted. In some instances, checks are built into the UI, but they can be circumvented with man-in-the-middle tools or API tools.
• Weak Tokens: JSON Web Token (JWT) has soared in popularity for use within APIs for its ability to provide integrity. However, an implementation of JWT without a proper cryptographic signing mechanism can lead to privilege escalation.
• Credential Stuffing: Bots have automated the process of testing stolen website login credentials; testing credentials against APIs is no different. Bots can be used to scrape APIs for data or used to validate stolen credentials, eventually leading to account takeover (ATO) attacks.
• Version Troubles: APIs are often changed to add functionality or remove unused features. These changes can cause the clients that use them to break, so it is common practice that organizations maintain multiple versions of APIs to ensure compatibility. Sometimes out-of-sight and out-of-mind treatment for older versions of APIs has caused breaches, and security controls are not kept up to date for the older version.