API Penetration Testing
API Penetration Testing
By Fawaz Al-Mutairi
Who am I
● Instructor - CODED ( joincoded.com)
● Software Developer - CODED ( joincoded.com)
● Penetration tester - (Hobby and Passion)
● Been in the field for more than 10 years
● Find me on Twitter @Q8Fawazo / Github @smokeme
What is an API?
1. A way of communication between two different applications.
2. Mostly used whenever we find a JavaScript frontend like React/Vue/Angular
3. It’s a way for mobile applications to communicate with their external servers
● API’s are mostly forgotten about, thinked about as something no one will see
which makes them a prime example for exploitation
1. http://example.com/customers/123 (401)
2. http://example.com/customers/123/loans (200)
3. http://example.com/customers/123/loans/456 (200)
Sometimes the original endpoint is protected, but whatever is built upon it will be
completely ignored and therefore exploitable
Please give me everything
**Real Life Example**: Why take something when you can take everything?
1. Enumerating http://example.com/api/FUZZ resulted in nothing :(
2. https://dnsdumpster.com/ shows a http://dev.example.com live!
3. The Development server has `DEBUG` enabled ?? so what
1. I love these things, if you are able to exploit them you should have the ability to
impersonate any other user
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.jVtJk3YGctVUhwQpPz58i_IRPKdfmjWjLQ
pM9u5zI9Y
2. You can use https://jwt.io to decode the JWT token and find interesting information
3. Lot’s of attacks can be applied to JWT tokens and found here
https://github.com/ticarpi/jwt_tool
4. JWT tokens depends on a secret key, if a Development server leaks it, its game over
Demo
*** Sadly I could not get all these different techniques into the demo
*** Will try and show as much as possible with-in the demo