Amit Srour
About the researcher:
Amit Srour, Working as an API security engineer for a major global fortune 100 financial institution
Biography :With nearly a decade of experience in Application development and application security, I specialize in Application Security Engineering and Software Development. My fascination with software began at a young age, leading me to develop hacking tools, intentionally vulnerable applications, and web applications. I've also provided technology advice to startups and small companies. Currently, I'm based in Modi'in, Israel. Xitter - @sirappsec
Linkedin - https://www.linkedin.com/in/amitsrour/
Session
Shadow and Zombie APIs have the potential to open unintended backdoors or expose private information. They WILL creep up when least expected. In this talk, you’ll learn the "What" and "How" of understanding, discovering, and identifying Shadow and Zombie APIs. I'll cover the problem scope, classical solutions, and techniques for popular Web API frameworks (including Express.js and SpringBoot, using Interactive Application Security Testing) that you can employ today to tackle these pesky vulnerabilities. We will explore which approaches are most convenient for attackers and how you can significantly increase the difficulty for any adversary. Additionally, I’ll demo my open-source tool designed to proactively bridge the gap between your API's specifications and what they actually expose.