BSides København 2022: An Attackers Guide to Hiding your Back-end APIs

Day of talk: October 08, 2022

The conference: BSides København 2022

Do you have a web application that has complex functionality? Are you exposing too much of the back-end APIs of your application to potential attackers? My BSides Copenhagen 2022 talk covered how can reduce your attack surface and hide information about the APIs from malicious attackers, so that you may make your application more secure.

Abstract of the Talk and Paper:

When it is possible for an attacker to obtain a lot of detailed information about a web application, it speeds up the time needed to find any potential vulnerabilities in said application. In this talk, we discuss how you can 'hide' information about your back-end application through various methods, to hinder an attacker to be able to gather useful information through reconnaissance and to reduce your publicly accessible attack surface. The methods described are proxying, having the front-end fetch information and proxy requests, and using serverless functions to pass requests to the back-end. We, furthermore, discuss some of the security implications of opting for one of these solutions, along with added security measures that could further increase the security of the back-end APIs.

If you wish to get more details, then you may be interested in reading: The conference paper

Slides from the talk:

Here you can follow along using the slides, as they are not easily visable in the video.