App Sentinel data

Kong data

contact@p0.inc

POC with

POC setup:

6 repositories

{…}

Swagger

App Sentinel

Kong

Results:

560

APIs discovered by p0

Check dashboard Tab #1

APIs in Swagger vs. p0

103 APIs are undocumented

43%

of documented APIs have parameter difference

Check "Compare Data" dashboard's tab #3

273

Total external APIs

Check dashboard Tab #3

140

External APIs in

App Sentinel

133

External APIs NOT in

App Sentinel

but found by p0

// Sample APIs from the list:

POST

/v1/giftcard/apply

Response:

400 "Invalid parameter received in request"

Show curl

DELETE

v1/reward/remove

Response:

400 "Invalid parameter received in request"

Show curl

24

Zombies not in

App Sentinel

but found by p0

30

External APIs by p0 in

App Sentinel

but not coming from FE-API

103

External APIs in

Kong

170

External APIs NOT in

Kong

but found by p0

// Sample APIs from the list:

GET

v1/shipping/pakkapromise

Response:

400 "Invalid parameter received in request"

Show curl

GET

user/getRetailerCreditInfo

Response:

401 "Unauthorized"

Show curl

158 (28%)

Zombie APIs found

32 (20%)

Zombie APIs with PII

Check dashboard Tab #2

// Sample APIs from the list:

GET

/fe-api/cartapi/test

Response:

200 "All is well for now"

Show curl

POST

/fe-api/cartapi/addSample

Response:

500 "INTERNAL_SERVER_ERROR"

Show curl

POST

/fe-api/cartapi/addSample/v2

Response:

500 "INTERNAL_SERVER_ERROR"

Show curl

GET

/fe-api/credit/history/all

Response:

200 "Loan not found"

Show curl

p0 recommendation:

1. Blacklist all Zombie APIs

2. Route all requests from Kong

3. Update API attack surface for VAPT with p0's external API list

4. Update AppSentinel with p0's external APIs list for testing

5. In a commercial rollout, p0 will integrate with Nykaa's APM / log provider and 100% of Nykaa's codebase.

6. Nykaa's security team will have real-time access to their entire updated API attack surface along with API-level traffic data with zero devOps dependency.

POC with

POC setup:

6 repositories

{…}

Swagger

App Sentinel

Kong

Results:

560

APIs in Swagger vs. p0

103

APIs are undocumented

43%

of documented APIs have parameter difference

273

140

133

24

30

103

170

158 (28%)

32 (20%)

p0 recommendation:

1.

Blacklist all Zombie APIs

2.

Route all requests from Kong

3.

Update API attack surface for VAPT with p0's external API list

4.

Update AppSentinel with p0's external APIs list for testing

5.

In a commercial rollout, p0 will integrate with Nykaa's APM / log provider and 100% of Nykaa's codebase.

6.

Nykaa's security team will have real-time access to their entire updated API attack surface along with API-level traffic data with zero devOps dependency.

© 2024 p

0

. All rights reserved.