Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
543 views15 pages

API Penetration Testing Guide

This document discusses API penetration testing. It begins by introducing the presenter and defining APIs. It then explains why API testing is important as they are often overlooked. It describes common API types like SOAP and REST, and their vulnerabilities such as injection flaws and access control issues. The document provides examples of real API issues like leaking user IDs or exporting all user data. Finally, it discusses JSON Web Tokens and how they could be exploited if secrets are leaked.

Uploaded by

Mohd Jad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
543 views15 pages

API Penetration Testing Guide

This document discusses API penetration testing. It begins by introducing the presenter and defining APIs. It then explains why API testing is important as they are often overlooked. It describes common API types like SOAP and REST, and their vulnerabilities such as injection flaws and access control issues. The document provides examples of real API issues like leaking user IDs or exporting all user data. Finally, it discusses JSON Web Tokens and how they could be exploited if secrets are leaked.

Uploaded by

Mohd Jad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

API Penetration Testing

By Fawaz Al-Mutairi
Who am I
● Instructor - CODED ( joincoded.com)
● Software Developer - CODED ( joincoded.com)
● Penetration tester - (Hobby and Passion)
● Been in the field for more than 10 years
● Find me on Twitter @Q8Fawazo / Github @smokeme
What is an API?
1. A way of communication between two different applications.
2. Mostly used whenever we find a JavaScript frontend like React/Vue/Angular
3. It’s a way for mobile applications to communicate with their external servers

Why is API pentesting important ?

1. It’s the side that a user normally doesn’t see


2. Developers usually do a sloppy job creating API endpoints which results in
either logic problems or actual exploitation
API types
From oldest to newest:

1. SOAP ( Only XML )


2. REST ( JSON / XML / URL Params )
3. GraphQL
SOAP API
Common Vulnerabilities:

1. Uses XML ( XML Injection is possible )


2. SQL Injection in parameters
3. Command Injection
4. Actions can be enumerated easily
REST API
Common Vulnerabilities:

1. Sensitive Data exposure


2. Injections (OS / SQL)
3. Broken Access Control
4. Endpoint’s can be enumerated easily based on the REST API Design
It’s not always Remote Code Execution
● Don’t expect to get a Remote Code Execution

● Most of your finding’s will be broken access control

● API’s are mostly forgotten about, thinked about as something no one will see
which makes them a prime example for exploitation

● By Exploitation I mean Data leakage (Information a user should not get)


Abusing RESTful API Design
1. Enumerating API endpoints
a. Gobuster/wfuzz/ffuf
b. https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Co
ntent/api/objects.txt
2. Finding HTTP methods
a. wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS-PUT -X FUZZ
http://example.com/api/post/1/
3. Attempting to break access control
a. Example: Deleting another user’s post or being able to edit it
The devil is in the details
**Real life example**: Leaking user data with incremental user ID

1. http://example.com/customers/123 (401)
2. http://example.com/customers/123/loans (200)
3. http://example.com/customers/123/loans/456 (200)

Sometimes the original endpoint is protected, but whatever is built upon it will be
completely ignored and therefore exploitable
Please give me everything
**Real Life Example**: Why take something when you can take everything?
1. Enumerating http://example.com/api/FUZZ resulted in nothing :(
2. https://dnsdumpster.com/ shows a http://dev.example.com live!
3. The Development server has `DEBUG` enabled ?? so what

4. 317 different urls to try and exploit


5. We find unprotected url `/api/users_csv` which exports all users
J WHAT??
JSON Web Token (JWT)

1. I love these things, if you are able to exploit them you should have the ability to
impersonate any other user
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.jVtJk3YGctVUhwQpPz58i_IRPKdfmjWjLQ
pM9u5zI9Y

2. You can use https://jwt.io to decode the JWT token and find interesting information
3. Lot’s of attacks can be applied to JWT tokens and found here

https://github.com/ticarpi/jwt_tool

4. JWT tokens depends on a secret key, if a Development server leaks it, its game over
Demo
*** Sadly I could not get all these different techniques into the demo

*** Will try and show as much as possible with-in the demo

You might also like