book

Hacking APIs

by Corey Ball

July 2022

Intermediate to advanced

368 pages

9h 41m

English

No Starch Press

Read now

Unlock full access

The Allure of Hacking Web APIsThis Book’s ApproachHacking the API Restaurant
Receiving AuthorizationThreat Modeling an API TestWhich API Features You Should TestAPI Authenticated TestingWeb Application FirewallsMobile Application TestingAuditing API DocumentationRate Limit TestingRestrictions and ExclusionsSecurity Testing Cloud APIsDoS TestingReporting and Remediation TestingA Note on Bug Bounty ScopeSummary

Web App BasicsThe URLHTTP RequestsHTTP ResponsesHTTP Status CodesHTTP MethodsStateful and Stateless HTTPWeb Server DatabasesSQLNoSQLHow APIs Fit into the PictureSummary
How Web APIs WorkStandard Web API TypesRESTful APIsGraphQLREST API SpecificationsAPI Data Interchange FormatsJSONXMLYAMLAPI AuthenticationBasic AuthenticationAPI KeysJSON Web TokensHMACOAuth 2.0No AuthenticationAPIs in Action: Exploring Twitter’s APISummary
Information DisclosureBroken Object Level AuthorizationBroken User AuthenticationExcessive Data ExposureLack of Resources and Rate LimitingBroken Function Level AuthorizationMass AssignmentSecurity MisconfigurationsInjectionsImproper Assets ManagementBusiness Logic VulnerabilitiesSummary
Kali LinuxAnalyzing Web Apps with DevToolsCapturing and Modifying Requests with Burp SuiteSetting Up FoxyProxyAdding the Burp Suite CertificateNavigating Burp SuiteIntercepting TrafficAltering Requests with IntruderCrafting API Requests in Postman, an API BrowserThe Request BuilderEnvironmentsCollectionsThe Collection RunnerCode SnippetsThe Tests PanelConfiguring Postman to Work with Burp SuiteSupplemental ToolsPerforming Reconnaissance with OWASP AmassDiscovering API Endpoints with KiterunnerScanning for Vulnerabilities with NiktoScanning for Vulnerabilities with OWASP ZAPFuzzing with WfuzzDiscovering HTTP Parameters with ArjunSummaryLab #1: Enumerating the User Accounts in a REST API
Creating a Linux HostInstalling Docker and Docker ComposeInstalling Vulnerable ApplicationsThe completely ridiculous API (crAPI)OWASP DevSlop’s PixiOWASP Juice ShopDamn Vulnerable GraphQL ApplicationAdding Other Vulnerable AppsHacking APIs on TryHackMe and HackTheBoxSummaryLab #2: Finding Your Vulnerable APIs
Passive ReconThe Passive Recon ProcessGoogle HackingProgrammableWeb’s API Search DirectoryShodanOWASP AmassExposed Information on GitHubActive ReconThe Active Recon ProcessBaseline Scanning with NmapFinding Hidden Paths in Robots.txtFinding Sensitive Information with Chrome DevToolsValidating APIs with Burp SuiteCrawling URIs with OWASP ZAPBrute-Forcing URIs with GobusterDiscovering API Content with KiterunnerSummaryLab #3: Performing Active Recon for a Black Box Test
Finding Request InformationFinding Information in DocumentationImporting API SpecificationsReverse Engineering APIsAdding API Authentication Requirements to PostmanAnalyzing FunctionalityTesting Intended UsePerforming Privileged ActionsAnalyzing API ResponsesFinding Information DisclosuresFinding Security MisconfigurationsVerbose ErrorsPoor Transit EncryptionProblematic ConfigurationsFinding Excessive Data ExposuresFinding Business Logic FlawsSummaryLab #4: Building a crAPI Collection and Discovering Excessive Data Exposure
Classic Authentication AttacksPassword Brute-Force AttacksPassword Reset and Multifactor Authentication Brute-Force AttacksPassword SprayingIncluding Base64 Authentication in Brute-Force AttacksForging TokensManual Load AnalysisLive Token Capture AnalysisBrute-Forcing Predictable TokensJSON Web Token AbuseRecognizing and Analyzing JWTsThe None AttackThe Algorithm Switch AttackThe JWT Crack AttackSummaryLab #5: Cracking a crAPI JWT Signature
Effective FuzzingChoosing Fuzzing PayloadsDetecting AnomaliesFuzzing Wide and DeepFuzzing Wide with PostmanFuzzing Deep with Burp SuiteFuzzing Deep with WfuzzFuzzing Wide for Improper Assets ManagementTesting Request Methods with WfuzzFuzzing “Deeper” to Bypass Input SanitizationFuzzing for Directory TraversalSummaryLab #6: Fuzzing for Improper Assets Management Vulnerabilities
Finding BOLAsLocating Resource IDsA-B Testing for BOLASide-Channel BOLAFinding BFLAsA-B-A Testing for BFLATesting for BFLA in PostmanAuthorization Hacking TipsPostman’s Collection VariablesBurp Suite Match and ReplaceSummaryLab #7: Finding Another User’s Vehicle Location
Finding Mass Assignment TargetsAccount RegistrationUnauthorized Access to OrganizationsFinding Mass Assignment VariablesFinding Variables in DocumentationFuzzing Unknown VariablesBlind Mass Assignment AttacksAutomating Mass Assignment Attacks with Arjun and Burp Suite IntruderCombining BFLA and Mass AssignmentSummaryLab #8: Changing the Price of Items in an Online Store
Discovering Injection VulnerabilitiesCross-Site Scripting (XSS)Cross-API Scripting (XAS)SQL InjectionManually Submitting MetacharactersSQLmapNoSQL InjectionOperating System Command InjectionSummaryLab #9: Faking Coupons Using NoSQL Injection
Evading API Security ControlsHow Security Controls WorkAPI Security Control DetectionUsing Burner AccountsEvasive TechniquesAutomating Evasion with Burp SuiteAutomating Evasion with WfuzzTesting Rate LimitsA Note on Lax Rate LimitsPath BypassOrigin Header SpoofingRotating IP Addresses in Burp SuiteSummary
GraphQL Requests and IDEsActive ReconnaissanceScanningViewing DVGA in a BrowserUsing DevToolsReverse Engineering the GraphQL APIDirectory Brute-Forcing for the GraphQL EndpointCookie Tampering to Enable the GraphiQL IDEReverse Engineering the GraphQL RequestsReverse Engineering a GraphQL Collection Using IntrospectionGraphQL API AnalysisCrafting Requests Using the GraphiQL Documentation ExplorerUsing the InQL Burp ExtensionFuzzing for Command InjectionSummary
The BreachesPelotonUSPS Informed Visibility APIT-Mobile API BreachThe BountiesThe Price of Good API KeysPrivate API Authorization IssuesStarbucks: The Breach That Never WasAn Instagram GraphQL BOLASummary
Chapter 0: Preparing for Your Security TestsChapter 1: How Web Applications WorkChapter 2: The Anatomy of Web APIsChapter 3: Common API Vulnerabilities Chapter 4: Your API Hacking SystemChapter 5: Setting Up Vulnerable API TargetsChapter 6: DiscoveryChapter 7: Endpoint AnalysisChapter 8: Attacking AuthenticationChapter 9: FuzzingChapter 10: Exploiting AuthorizationChapter 11: Mass AssignmentChapter 12: InjectionChapter 13: Applying Evasive Techniques and Rate Limit TestingChapter 14: Attacking GraphQLChapter 15: Data Breaches and Bug Bounties

Overview

An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications. In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:

•Enumerating API users and endpoints using fuzzing techniques
•Using Postman to discover an excessive data exposure vulnerability
•Performing a JSON Web Token attack against an API authentication process
•Combining multiple API attack techniques to perform a NoSQL injection
•Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.