Hacking APIs

From Enlace Hacktivista
Revision as of 10:38, 31 March 2024 by Booda (talk | contribs) (→‎Tools)
Jump to navigation Jump to search

Web Application Programming Interfaces (APIs) make up 83% of all web traffic and two thirds of all cloud breaches are due to misconfigured APIs with developers hard coding credentials and exposing API keys. Organizations are using them more and more to deliver content, handle and transfer data and to implement more functionality into their services and web applications, not to mention APIs have direct back-end database access. Knights white paper show cases how web APIs can be exploited via API1:2023 - Broken Object Level Authorization (BOLA) vulnerability to transfer money in and out of bank accounts and change Visa ATM debit PIN codes. Exploiting web APIs has also been a vector for a lot of data breaches.

Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

See Scanning and Recon, Search Engines, Initial Access Tactics, techniques and procedures and a hackers methodology and recon as prerequisite's to hacking APIs.

Prerequisite reading

Testing environments



Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.



Kiterunner word lists:

  1. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
  2. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
  3. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
  4. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
  5. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
  6. https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

Web API specific word lists:


Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation