API Penetration Testing

By Fawaz Al-Mutairi
Who am I
● Instructor - CODED ( joincoded.com)
● Software Developer - CODED ( joincoded.com)
● Penetration tester - (Hobby and Passion)
● Been in the field for more than 10 years
● Find me on Twitter @Q8Fawazo / Github @smokeme
 What is an API?
1. A way of communication between two different applications.
2. Mostly used whenever we find a JavaScript frontend like React/Vue/Angular
3. It’s a way for mobile applications to communicate with their external servers

Why is API pentesting important ?

1. It’s the side that a user normally doesn’t see

2. Developers usually do a sloppy job creating API endpoints which results in
either logic problems or actual exploitation
 API types
From oldest to newest:

1. SOAP ( Only XML )

2. REST ( JSON / XML / URL Params )
3. GraphQL
SOAP API
Common Vulnerabilities:

1. Uses XML ( XML Injection is possible )

2. SQL Injection in parameters
3. Command Injection
4. Actions can be enumerated easily
REST API
Common Vulnerabilities:

1. Sensitive Data exposure

2. Injections (OS / SQL)
3. Broken Access Control
4. Endpoint’s can be enumerated easily based on the REST API Design
It’s not always Remote Code Execution
● Don’t expect to get a Remote Code Execution

● Most of your finding’s will be broken access control

● API’s are mostly forgotten about, thinked about as something no one will see
which makes them a prime example for exploitation

● By Exploitation I mean Data leakage (Information a user should not get)

Abusing RESTful API Design
1. Enumerating API endpoints
a. Gobuster/wfuzz/ffuf
b. https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Co
ntent/api/objects.txt
2. Finding HTTP methods
a. wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS-PUT -X FUZZ
http://example.com/api/post/1/
3. Attempting to break access control
a. Example: Deleting another user’s post or being able to edit it
The devil is in the details
**Real life example**: Leaking user data with incremental user ID

1. http://example.com/customers/123 (401)
2. http://example.com/customers/123/loans (200)
3. http://example.com/customers/123/loans/456 (200)

Sometimes the original endpoint is protected, but whatever is built upon it will be
completely ignored and therefore exploitable
Please give me everything
**Real Life Example**: Why take something when you can take everything?
1. Enumerating http://example.com/api/FUZZ resulted in nothing :(
2. https://dnsdumpster.com/ shows a http://dev.example.com live!
3. The Development server has `DEBUG` enabled ?? so what

4. 317 different urls to try and exploit

5. We find unprotected url `/api/users_csv` which exports all users
J WHAT??
JSON Web Token (JWT)

1. I love these things, if you are able to exploit them you should have the ability to
impersonate any other user
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.jVtJk3YGctVUhwQpPz58i_IRPKdfmjWjLQ
pM9u5zI9Y

2. You can use https://jwt.io to decode the JWT token and find interesting information
3. Lot’s of attacks can be applied to JWT tokens and found here

https://github.com/ticarpi/jwt_tool

4. JWT tokens depends on a secret key, if a Development server leaks it, its game over
Demo
*** Sadly I could not get all these different techniques into the demo

*** Will try and show as much as possible with-in the demo