Hacking APIs EAR LY EAR LY ACC ESS ACC ESS N O S T A R C H P R E S S E A R L Y A C C E S S P R O G R A M F E E D B A C K W E L C O M E Welcome to the Early Access edition of the as yet unpublished Hacking APIs by Corey J Ball As a prepublication title, this book may be incomplete and some chapters may not have been proofread Our goal is always to make the best books possible, and we look forward to hearing your thoughts If you have any comments or questions, email us at earlyaccessnostarch c.
THE STATE OF WEB API SECURITY
Preparing for API Security Testing
Khawaja, Gus Kali Linux Penetration Testing Bible Indianapolis, IN: Wiley, 2021.
Li, Vickie Bug Bounty Bootcamp: The Guide to Finding and Reporting Web
Vulnerabilities San Francisco: No Starch Press, 2021.
Weidman, Georgia Penetration Testing: A Hands-On Introduction to Hacking San Francisco: No Starch Press, 2014.
How Web Applications Work
Hoffman, Andrew Web Application Security: Exploitation and Countermeasures for Modern Web Applications Sebastopol, CA: O’Reilly, 2020.
“HTTP Response Status Codes.” MDN Web Docs https://developer.mozilla.org/ en-US/docs/Web/HTTP/Status.
Stuttard, Dafydd, and Marcus Pinto Web Application Hacker’s Handbook:
Finding and Exploiting Security Flaws Indianapolis, IN: Wiley, 2011.
The Anatomy of Web APIs
“API University: Best Practices, Tips & Tutorials for API Providers and Developers.” ProgrammableWeb https://www.programmableweb.com/ api-university.
Barahona, Dan “The Beginner’s Guide to REST API: Everything You Need to Know.” APIsec, June 22, 2020 https://www.apisec.ai/blog/ rest-api-and-its-significance-to-web-service-providers.
Madden, Neil API Security in Action Shelter Island, NY: Manning, 2020. Richardson, Leonard, and Mike Amundsen RESTful Web APIs Beijing: O’Reilly, 2013.
Siriwardena, Prabath Advanced API Security: Securing APIs with OAuth 2.0,
OpenID Connect, JWS, and JWE Berkeley, CA: Apress, 2014.
LAB SETUP
Setting Up an API Hacking System
“Introduction.” Postman Learning Center https://learning.postman.com/docs/ getting-started/introduction.
O’Gorman, Jim, Mati Aharoni, and Raphael Hertzog Kali Linux Revealed:
Mastering the Penetration Testing Distribution Cornelius, NC: Offsec
“Web Security Academy.” PortSwigger https://portswigger.net/web-security.
ATTACKING APIS
Discovering APIs
“API Directory.” ProgrammableWeb https://www.programmableweb.com/apis/ directory.
Doerrfeld, Bill “API Discovery: 15 Ways to Find APIs.” Nordic APIs, August
4, 2015 https://nordicapis.com/api-discovery-15-ways-to-find-apis.
Faircloth, Jeremy Penetration Tester’s Open Source Toolkit 4th ed Amsterdam: Elsevier, 2017.
“Welcome to the RapidAPI Hub.” RapidAPI https://rapidapi.com/hub.
Attacking API Authentication
PART I: THE STATE OF WEB API SECURITY
Chapter 0: Preparing for API Security Testing
Chapter 1: How Web Applications Work
Chapter 2: The Anatomy of Web APIs
Chapter 4: Setting Up an API Hacking System
Chapter 5: Setting Up Vulnerable API Targets
PART IV: REAL-WORLD API HACKING
Chapter 13: Evasive Techniques and Rate Limit Testing Chapter 14: Attacking GraphQL
The chapters in red are included in this Early Access PDF.
To my wonderful wife Kristin and our three beautiful daughters, Vivian, Charlise, and Ruby, your joyful distractions have brought immense happiness into my life, even if they occasionally led to minor mishaps You are my greatest treasures, and my love for you knows no bounds.
Corey Ball is a prominent cybersecurity consulting leader at Moss Adams, specializing in penetration testing services With over a decade of experience in IT and cybersecurity, he has worked across diverse sectors such as aerospace, agribusiness, energy, fintech, government services, and healthcare.
In addition to bachelor degrees in both English and philosophy from Sacramento State University, he holds the OSCP, CCISO, CEH, CISA, CISM, CRISC, and CGEIT industry certifications.
Alex Rifman, a seasoned expert in the security industry, specializes in defense strategies, incident response, threat intelligence, and risk management Currently, he leads customer success at APIsec, a company focused on API security, where he collaborates with clients to ensure the security of their APIs.
PART I: THE STATE OF WEB API SECURITY 1
Chapter 0: Preparing for API Security Testing
Chapter 1: How Web Applications Work
Chapter 2: The Anatomy of Web APIs
Chapter 4: Setting Up an API Hacking System 71
Chapter 5: Setting Up Vulnerable API Targets 109
PART IV: REAL-WORLD API HACKING 265
Chapter 13: Evasive Techniques and Rate Limit Testing 267
The Allure of Hacking Web APIs xxiv
Hacking the API Restaurant xxv
PART I: THE STATE OF WEB API SECURITY 1
0 PREPARING FOR API SECURITY TESTING 3
Threat Modeling an API Test 4
Which API Features You Should Test 6
A Note on Bug Bounty Scope 11
How APIs Fit into the Picture 25
2 THE ANATOMY OF WEB APIS 27
APIs in Action: Exploring Twitter’s API 48
Lack of Resources and Rate Limiting 59
4 SETTING UP AN API HACKING SYSTEM 71
Analyzing Web Apps with DevTools 72
Capturing and Modifying Requests with Burp Suite 75
Adding the Burp Suite Certificate 76
Crafting API Requests in Postman, an API Browser 84
Configuring Postman to Work with Burp Suite 95
Performing Reconnaissance with OWASP Amass 97
Discovering API Endpoints with Kiterunner 98
Scanning for Vulnerabilities with Nikto 99
Scanning for Vulnerabilities with OWASP ZAP 100
Discovering HTTP Parameters with Arjun 102
Lab #1: Enumerating the User Accounts in a REST API 103
5 SETTING UP VULNERABLE API TARGETS 109
Installing Docker and Docker Compose 110
The completely ridiculous API (crAPI) 111
Hacking APIs on TryHackMe and HackTheBox 115
Lab #2: Finding Your Vulnerable APIs 116
Finding Hidden Paths in Robots txt 139
Finding Sensitive Information with Chrome DevTools 139
Validating APIs with Burp Suite 142
Crawling URIs with OWASP ZAP 143
Brute-Forcing URIs with Gobuster 145
Discovering API Content with Kiterunner 146
Lab #3: Performing Active Recon for a Black Box Test 148
Adding API Authentication Requirements to Postman 164
Lab #4: Building a crAPI Collection and Discovering Excessive Data Exposure 174
Password Reset and Multifactor Authentication Brute-Force Attacks 181
Including Base64 Authentication in Brute-Force Attacks 185
Lab #5: Cracking a crAPI JWT Signature 197
Fuzzing Deep with Burp Suite 210
Fuzzing Wide for Improper Assets Management 214
Testing Request Methods with Wfuzz 216
Fuzzing “Deeper” to Bypass Input Sanitization 217
Lab #6: Fuzzing for Improper Assets Management Vulnerabilities 219
Testing for BFLA in Postman 228
Burp Suite Match and Replace 231
Lab #7: Finding Another User’s Vehicle Location 232
Automating Mass Assignment Attacks with Arjun and Burp Suite Intruder 241
Combining BFLA and Mass Assignment 242
Lab #8: Changing the Price of Items in an Online Store 243
Lab #9: Faking Coupons Using NoSQL Injection 261
PART IV: REAL-WORLD API HACKING 265
13 EVASIVE TECHNIQUES AND RATE LIMIT TESTING 267
Automating Evasion with Burp Suite 273
A Note on Lax Rate Limits 276
Rotating IP Addresses in Burp Suite 280
Reverse Engineering the GraphQL API 290
Directory Brute-Forcing for the GraphQL Endpoint 290
Cookie Tampering to Enable the GraphiQL IDE 292
Reverse Engineering the GraphQL Requests 294
Reverse Engineering a GraphQL Collection Using Introspection 296
Crafting Requests Using the GraphiQL Documentation Explorer 297
Using the InQL Burp Extension 298
The Price of Good API Keys 312
Starbucks: The Breach That Never Was 315
Envision a world where transferring money to a friend demands more than just a few clicks in an app, where tracking your daily steps, exercise, and nutrition necessitates juggling multiple applications, and where comparing airfares means painstakingly visiting each airline's website individually.
APIs have revolutionized the way companies collaborate and develop applications, acting as the essential link that connects various systems Their widespread adoption has significantly transformed enterprise operations, as highlighted by an Akamai report from October 2018, which revealed that API calls constituted a remarkable percentage of all web traffic.
83 percent of all web traffic.
Cybercriminals are increasingly targeting APIs due to their rich sources of sensitive information and frequent security vulnerabilities As valuable assets on the internet, APIs present a lucrative opportunity for malicious actors looking to exploit these weaknesses.
APIs are essential in application architecture, facilitating communication between users and backend systems For instance, when checking a bank balance or applying for a loan, APIs request and deliver sensitive information like account details and credit histories Positioned at a crucial intersection, APIs protect valuable data; however, if compromised by cybercriminals, they can lead to unauthorized access to sensitive information.
Despite the widespread adoption of APIs, security measures remain inadequate In a recent discussion with the chief information security officer of a century-old energy company, it was revealed that APIs are utilized extensively across the organization However, he emphasized a concerning trend: upon closer inspection, many APIs are found to have excessive permissions.
Developers face immense pressure to quickly fix bugs, release updates, and enhance functionalities, often leading to a rapid cycle of nightly builds and daily commits This fast-paced environment leaves little time to thoroughly assess the security implications of each change, resulting in the inadvertent introduction of undiscovered vulnerabilities into their products.
Lax API security practices can lead to serious consequences, as demonstrated by the US Postal Service's Informed Visibility API, which was designed for package tracking Although the API required user authentication to access information, once authenticated, individuals could view the account details of other users, compromising the privacy of 60 million users This incident highlights the critical need for robust security measures in API development to protect sensitive user data.
Peloton, the fitness company, utilizes APIs for its apps and equipment However, one of its APIs lacked authentication, enabling unauthorized requests to access account information from any of the four million Peloton devices This vulnerability exposed potentially sensitive user data, including that of prominent users like US President Joe Biden, highlighting the risks associated with unsecured endpoints.
The electronic payment firm Venmo utilizes APIs to connect its applications with financial institutions, but a marketing API inadvertently exposed sensitive transaction data, leading to the harvesting of 200 million transactions by malicious users This incident underscores a growing trend, as Gartner predicts API breaches will become the most common attack vector by 2022, with IBM reporting that two-thirds of cloud breaches stem from API misconfigurations Current application security solutions primarily focus on traditional attack types and vulnerabilities, utilizing automated scanners and web application firewalls, which are inadequate for addressing the unique security challenges posed by APIs.
API vulnerabilities are infrequent and vary significantly between different APIs, often differing from those seen in traditional applications A notable example is the USPS breach, which stemmed from a business logic flaw rather than a security misconfiguration This flaw allowed an authenticated user to unintentionally access another user's data, highlighting the issue of broken object level authorization Such vulnerabilities arise when application logic inadequately restricts access for authorized users.
Unique API logic flaws represent zero-day vulnerabilities specific to individual APIs, highlighting the need for resources like this book to educate penetration testers and bug bounty hunters on API security As security increasingly integrates into engineering and development processes, it is essential for modern engineering teams to prioritize API security, making this book a valuable guide for conducting security testing alongside functional and unit testing.
Effective API security testing requires a continuous and comprehensive approach, integrating testing into the development cycle to ensure that every release is thoroughly vetted before production Relying on infrequent tests, such as once or twice a year, is inadequate in keeping pace with rapid updates Identifying API vulnerabilities demands new skills, tools, and innovative strategies, highlighting the urgent need for enhanced API security measures in today's digital landscape.
Dan Barahona Chief Strategy Officer, APIsec.ai Inc.
Before we begin, I must thank and acknowledge some giants whose shoul- ders I have stood on for the creation of this book:
My family and friends for supporting me in all my endeavors.
API Fuzzing
“Fuzzing.” OWASP https://owasp.org/www-community/Fuzzing.
Exploiting API Authorization
Shkedy, Inon “A Deep Dive on the Most Critical API Vulnerability—BOLA (Broken Object Level Authorization).” https://inonst.medium.com.
Exploiting Mass Assignment
“Mass Assignment Cheat Sheet.” OWASP Cheat Sheet Series https:// c heatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.