Hacking APIs: Difference between revisions

Web Application Programming Interfaces (APIs) make up 83% of all web traffic. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API formats are: Json, Xml and Yaml. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See Scanning and Recon, Search Engines, Initial Access Tactics, techniques and procedures and a hackers methodology and recon as prerequisite's to hacking APIs.

Labs

• HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
• TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
  • TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]

Prerequisite reading

• OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
• (Book) Hacking APIs: Breaking Web Application Programming Interfaces (2022)
• (Book) Black Hat GraphQL: Attacking Next Generation APIs (2023)
• (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)
• SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS (2020)
• GraphQL Injection

Tools

• A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
• Organize your API security assessment by using MindAPI - Bringing order to API hacking chaos!: https://github.com/dsopas/MindAPI | MindAPI
• Decode JSON Web Tokens (Online): https://jwt.io
• JWT - JSON Web Token
• Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.

• https://www.postman.com (API focused)
• https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
• https://www.zaproxy.org | GraphQL Add-on for ZAP
• https://mitmproxy.org
• https://github.com/projectdiscovery/proxify

Fuzzing

• KiteRunner, web API content discovery. https://github.com/assetnote/kiterunner

Wordlists

Web API specific wordlists - See Fuzzing:

1. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
2. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
3. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
4. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
5. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
6. https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

• https://wordlists.assetnote.io
• A list of 3203 common API endpoints and objects designed for fuzzing | A wordlist of API names for web application assessments

Exploitation

Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation