Hacking APIs: Difference between revisions

Web Application Programming Interfaces (APIs) make up 83% of all web traffic and two thirds of all cloud breaches are due to misconfigured APIs with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See Scanning and Recon, Search Engines, Initial Access Tactics, techniques and procedures and a hackers methodology and recon as prerequisite's to hacking APIs.

Prerequisite reading

• OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
• (Book) Hacking APIs: Breaking Web Application Programming Interfaces
• (Book) Black Hat GraphQL: Attacking Next Generation APIs
• API Whitepapers and reports: https://salt.security/resources
• (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking)
• SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
• Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
• HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

Testing environments

• Completely ridiculous API (crAPI) - Purposefully vulnerable API: https://github.com/OWASP/crAPI
• Damn Vulnerable GraphQL Application - Intentionally vulnerable GraphQL API: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
• OWASP Juice Shop - Insecure web application (uses Rest APIs): https://github.com/juice-shop/juice-shop
• The Pixi module is a MEAN Stack web app with wildly insecure APIs!: https://github.com/DevSlop/Pixi
• Vulnerable REST API with OWASP top 10 vulnerabilities for security testing: https://github.com/erev0s/VAmPI

Labs

• HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
• TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
  • TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]

Tools

• A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
• A comprehensive API hacking framework (A-Z)! MindAPI: https://dsopas.github.io/MindAPI/play
• Decode JSON Web Tokens (Online): https://jwt.io
• JWT - JSON Web Token
• A toolkit for testing, tweaking and cracking JSON Web Tokens: https://github.com/ticarpi/jwt_tool
• Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance
• HTTP parameter discovery suite: https://github.com/s0md3v/Arjun
• NSE Script for GraphQL Introspection Check: https://github.com/dolevf/nmap-graphql-introspection-nse
• graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f
• GraphQL Injection
• GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
• If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks: https://github.com/streaak/keyhacks

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.

• https://www.postman.com (API focused)
• https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
• https://www.zaproxy.org | GraphQL Add-on for ZAP to exploit GraphQL Introspection.

Fuzzing

• https://github.com/assetnote/kiterunner (API focused)
• https://github.com/ffuf/ffuf
• https://www.kali.org/tools/wfuzz

Wordlists

Kiterunner word lists:

1. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
2. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
3. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
4. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
5. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
6. https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

Web API specific word lists:

• A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
• A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist
• A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs
• GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

Exploitation

Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation