Hacking APIs: Difference between revisions
mNo edit summary |
|||
Line 36: | Line 36: | ||
== Intercepting proxies == | == Intercepting proxies == | ||
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and | These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs. | ||
* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string]) | * https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string]) | ||
* https://www.zaproxy.org | * https://www.zaproxy.org |
Revision as of 17:46, 7 August 2023
Web Application Programming Interfaces (APIs) make up 83% of all web traffic. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.
Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APis and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!
Labs
- HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
- TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
- TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]
Prerequisite reading
- (Book) Hacking APIs: Breaking Web Application Programming Interfaces
- (Book) Black Hat GraphQL: Attacking Next Generation APIs
- SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
- OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
- GraphQL Injection
Tools
- A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
- Organize your API security assessment by using MindAPI - Bringing order to API hacking chaos!: https://github.com/dsopas/MindAPI | MindAPI
- Decode JSON Web Tokens (Online): https://jwt.io
- JWT - JSON Web Token
Fuzzing
Wordlists
- Web API specific wordlists - See Fuzzing:
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
- https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Intercepting proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.