OPEN TALK (API): How Attackers Utilize API Specs to Attack Your APIs


Jason Kent
Cequence Security, Hacker in Residence

For over the last 20 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.


API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.