Hacking APIs: Difference between revisions
m (→Fuzzing) |
m (→Wordlists) |
||
| Line 54: | Line 54: | ||
Web API specific word lists: | Web API specific word lists: | ||
* A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d | * A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d | ||
* A wordlist of API names for web application assessments: https:// | * A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist | ||
* A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs | * A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs | ||
* GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt | * GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt | ||
Revision as of 10:31, 2 September 2023
Web Application Programming Interfaces (APIs) make up 83% of all web traffic and two thirds of all cloud breaches are due to misconfigured APIs with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.
Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications.
The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API formats are: Json, Xml and Yaml for data transfer. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!
See Scanning and Recon, Search Engines, Initial Access Tactics, techniques and procedures and a hackers methodology and recon as prerequisite's to hacking APIs.
Prerequisite reading
- OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
- (Book) Hacking APIs: Breaking Web Application Programming Interfaces (2022)
- (Book) Black Hat GraphQL: Attacking Next Generation APIs (2023)
- (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)
- SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS (2020)
- GraphQL Injection
Testing environments
- Completely ridiculous API (crAPI) - Purposefully vulnerable API: https://github.com/OWASP/crAPI
- Damn Vulnerable GraphQL Application - Intentionally vulnerable GraphQL API: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- OWASP Juice Shop - Insecure web application (uses Rest APIs): https://github.com/juice-shop/juice-shop
Labs
- HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
- TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
- TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]
Tools
- A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
- A comprehensive API hacking framework (A-Z)! MindAPI: https://dsopas.github.io/MindAPI/play
- Decode JSON Web Tokens (Online): https://jwt.io
- JWT - JSON Web Token
- A toolkit for testing, tweaking and cracking JSON Web Tokens: https://github.com/ticarpi/jwt_tool
- Obtain GraphQL API schema even if the introspection is disabled: https://github.com/nikitastupin/clairvoyance
- HTTP parameter discovery suite: https://github.com/s0md3v/Arjun
Intercepting proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.
- https://www.postman.com (API focused)
- https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
- https://www.zaproxy.org | GraphQL Add-on for ZAP
Fuzzing
KiteRunner, web API content discovery tool:
Wordlists
Kiterunner word lists:
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
- https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Web API specific word lists:
- A list of 3203 common API endpoints and objects designed for fuzzing: https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
- A wordlist of API names for web application assessments: https://github.com/chrislockard/api_wordlist
- A collection of API word lists: https://github.com/hAPI-hacker/Hacking-APIs
- GraphQL word list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt
Exploitation
Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation