Black Hat USA Archives are live!

Click Here to Check Out the USA Archives Site | more info

Abusing Web APIs: The Mobile and Server Side Dilemma for the Enterprise

Register Now

Thursday, December 5, 2013

Brought to you by:

Abusing Web APIs Through Scripted Android Applications by Daniel Peck
Enterprise API Security Choices by Blake Dournaee

Enterprise security teams are dealing with a deluge of API deployments from internal SOA, B2B partner APIs, corporate BYOD initiatives, and open developer community API innovation. Applying consistent threat protection, authentication, rate limits, security standards, and general corporate visibility into API security vulnerabilities from device to the server side is a complex endeavor.

To illustrate the issues, we dive into an example of abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions.


Daniel Peck is a research scientist and data junkie at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of Technology.

Sponsor Speaker:

Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and is frequent speaker at API and PCI-DSS conferences. Blake co-authored the first book on XML security "SOA Demystified" from Intel press. Blake blogs at Intel’s Application Security site.


Intel Expressway Software for API Management & Compliant Data Protection Intel delivers a portfolio of enterprise-class data center software products designed to help expose app APIs and data across on-prem, cloud, hybrid, and mobile environments. Includes on-prem and SaaS API management portal solutions seamlessly integrated with an API Gateway for security. Visit for more.


View More




Fill out the form below to stay up to date on the latest Black Hat info, newsletters and intel.

First Name
Last Name
Subscription Group

Sustaining Partners