2024-08-06 –, Florentine E
Shadow and Zombie APIs have the potential to open unintended backdoors or expose private information. They WILL creep up when least expected. In this talk, you’ll learn the "What" and "How" of understanding, discovering, and identifying Shadow and Zombie APIs. I'll cover the problem scope, classical solutions, and techniques for popular Web API frameworks (including Express.js and SpringBoot, using Interactive Application Security Testing) that you can employ today to tackle these pesky vulnerabilities. We will explore which approaches are most convenient for attackers and how you can significantly increase the difficulty for any adversary. Additionally, I’ll demo my open-source tool designed to proactively bridge the gap between your API's specifications and what they actually expose.
Format: 20-30 minute talk (Including technique overview/recorded or on-stage demo)
Rationale: Sharing knowledge, techniques and tools following an internal research and mastery of a problem after many iterations and solution paths explored.
In this talk, I'll outline the critical issues posed by Shadow and Zombie APIs, which often leave significant security gaps unattended. Without proper discovery workflows, companies typically learn about these vulnerabilities only after they've been exploited—sometimes years later. These API endpoints are neglected simply because they should not exist. Security teams often overlook them, as their existence is unknown. However, attackers can exploit these vulnerabilities by brute-forcing or employing straightforward techniques to identify and leverage them. Common outcomes include the leakage of private information, unauthenticated access, remote code execution, or worse. I will discuss interactive white-box techniques to identify and mitigate the presence of these hidden threats.
Introduction + Teaser (1-2 minutes)
- Why I'm speaking on this topic
- My accomplishments in API security
- Bug bounty payouts received for discovering Shadow and Zombie APIs
Why (2-3 minutes)
- A necessary nod to the OWASP Top 10
- Several examples of macro-level vulnerabilities and exploitations
Story Time (2-3 minutes)
- We'll review a development iteration of a microservice lifecycle (minor version release)
- We'll pinpoint where developers commonly err
What (4-5 minutes)
- Terminology: Definitions of key terms
- Malicious attack paths leading to exploitation
- Common violations: Dependencies, outdated/redundant versions, typos, misattribution, greedy/lazy pattern matching
How (2-3 minutes)
- Essential strategies for mitigation
- Suggestions for the software development lifecycle that you can implement immediately
Techniques/Demo (4-5 minutes)
- Preface to examples: What's needed and what isn’t
- Showcasing a SpringBoot example on identifying routes using an injected package (IAST)
- Demonstrating an Express.js technique to identify registered routes via log analysis
- (Optional) Showcasing Flask/Django using Python (Debug Mode + app.url_map)
(Pending workplace approval for publishing) Tool Demonstration (1 minute)
Closing + Questions (1-2 minutes)
About the researcher:
Amit Srour, Working as an API security engineer for a major global fortune 100 financial institution
Biography :With nearly a decade of experience in Application development and application security, I specialize in Application Security Engineering and Software Development. My fascination with software began at a young age, leading me to develop hacking tools, intentionally vulnerable applications, and web applications. I've also provided technology advice to startups and small companies. Currently, I'm based in Modi'in, Israel. Xitter - @sirappsec
Linkedin - https://www.linkedin.com/in/amitsrour/