Challenges in Automatically Testing for API Business Logic Vulnerabilities

As the world of application development is Shifting Left, it has become increasingly clear that security should play an integral part in this practice. Technical challenges arise when attempting to automate vulnerability detection during the development phase, especially with DAST platforms, and even more so with tools that aim to disrupt an application's business logic.

On the one hand, when done correctly, DAST tools have the potential to uncover deep and impactful business logic vulnerabilities like no other type of security tool. On the other hand, how can these tools (and their users) ensure that no stone is left unturned? Has the security test truly understood and challenged the business logic of the application? Has it consumed and subsequently broken all the different flows presented to the client?

In this session, Nir Meiron, Research Team Lead of Noname Security, will present his approach to how the industry can address this challenge, while focusing on the problem of automatically testing APIs for business logic vulnerabilities. Nir will introduce the concepts, methodologies, and algorithms created by his team in their effort to develop an API-oriented DAST tool.

We will explore the challenges involved in automatically testing for critical API vulnerabilities like BOLA and BFLA, and discuss the steps the team took to give a computer the capabilities of a real-life penetration tester.

By leveraging sophisticated mechanisms that map the resources managed by an application, understand the connections between APIs and their purposes, and even verify successful API consumption when interacted with, the team aims to automatically learn the application's business logic. This crucial phase is the key to achieving our goal, and Nir will share insights into how it was accomplished.