Day of talk: October 08, 2022
The conference: BSides København 2022
Do you have a web application that has complex functionality? Are you exposing too much of the back-end APIs of your application to potential attackers? My BSides Copenhagen 2022 talk covered how can reduce your attack surface and hide information about the APIs from malicious attackers, so that you may make your application more secure.
When it is possible for an attacker to obtain a lot of detailed information about a web application, it speeds up the time needed to find any potential vulnerabilities in said application. In this talk, we discuss how you can 'hide' information about your back-end application through various methods, to hinder an attacker to be able to gather useful information through reconnaissance and to reduce your publicly accessible attack surface. The methods described are proxying, having the front-end fetch information and proxy requests, and using serverless functions to pass requests to the back-end. We, furthermore, discuss some of the security implications of opting for one of these solutions, along with added security measures that could further increase the security of the back-end APIs.
If you wish to get more details, then you may be interested in reading: The conference paper
Here you can follow along using the slides, as they are not easily visable in the video.