2025-04-28 –, MAIN TRACK
This talk will cover key exploitation techniques for RESTful, SOAP, GraphQL, and gRPC APIs, based on the OWASP API Security Top 10. It will include practical demonstrations of vulnerabilities like injection flaws, broken authentication, and data exposure using tools like Burp Suite and custom scripts. The session will also highlight the Open-Sec framework for structured API penetration testing.
This talk will explore key attack and exploitation techniques for RESTful, SOAP, GraphQL, and gRPC APIs, based on the OWASP API Security Top 10 framework. We'll cover practical methods to identify and exploit vulnerabilities such as injection flaws, broken authentication, and data exposure. The focus will be on real-world attack scenarios using tools like Burp Suite and custom scripts.
We'll dive into specific vulnerabilities for each API type: manipulating RESTful tokens, exploiting GraphQL query injection, compromising gRPC protobuf-based requests, and executing XML external entity (XXE) attacks on SOAP. The session will provide step-by-step demonstrations of these techniques, highlighting how to chain them for maximum impact.
Finally, we'll discuss the Open-Sec framework and how to apply it to API penetration testing. This structured approach—covering reconnaissance, scanning, testing, and analysis—will help identify and exploit complex vulnerabilities, offering actionable insights to improve API security.
Toshiro Nagata Bolivar is an Offensive Security Lead at Open-Sec and a professor at the Catholic University of Santa María (UCSM). He has extensive experience in cybersecurity and holds multiple industry-recognized certifications, including Certified Red Team Operator (CRTO), Certified Network Defender (CND), DevSecOps Engineer (ECDE) from EC-Council, eLearnSecurity Certified Professional Penetration Tester (eCPPTv2), Web Application Penetration Tester (eWPT), Junior Penetration Tester (eJPT), Certified API Security Analyst (CASA), and Multi-Cloud Red Teaming Analyst (MCRTA), among others.
At Open-Sec, Toshiro specializes in offensive security, penetration testing, and vulnerability analysis, focusing on API security and the OWASP framework. His expertise includes web and infrastructure penetration testing in both internal and external networks, threat intelligence analysis, and real-world red teaming engagements. He is also involved in research on DLL Hijacking and API security exploitation, including advanced testing of RESTful, GraphQL, SOAP, and gRPC APIs.
As a professor at UCSM, Toshiro teaches cybersecurity, network infrastructure, and system security, contributing to the development of the next generation of security professionals. His work bridges the gap between theory and practice, applying real-world offensive security techniques to academic training and research.