Hacking APIs: Difference between revisions

Web Application Programming Interfaces (APIs) make up 83% of all web traffic. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

Labs

• HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
• TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
  • TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]

Prerequisite reading

• (Book) Hacking APIs: Breaking Web Application Programming Interfaces
• (Book) Black Hat GraphQL: Attacking Next Generation APIs
• SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
• OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
• GraphQL Injection

Tools

• A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
• Organize your API security assessment by using MindAPI - Bringing order to API hacking chaos!: https://github.com/dsopas/MindAPI | MindAPI
• Decode JSON Web Tokens (Online): https://jwt.io
• JWT - JSON Web Token

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.

• https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
• https://www.zaproxy.org
• https://mitmproxy.org
• https://www.postman.com (API focused)
• https://github.com/projectdiscovery/proxify

Fuzzing

• KiteRunner, web API content discovery. https://github.com/assetnote/kiterunner

Wordlists

• Web API specific wordlists - See Fuzzing:

1. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
2. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
3. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
4. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
5. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
6. https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

• https://wordlists.assetnote.io