Pragmatic API

Exploration
Aubrey Labuschagne

8 August 2022
2 Confidential
Agenda
Day 1 Day 2
● Overview of Course ● OWASP Top 10
● Getting Ready ● The Challenge
○ Access to Portal ● Bonus - GraphQL
○ Access to API
● API Concepts
● Testing Environment
● Building Blocks of APIs
● Abuse APIs
● API Recon

3 Confidential
Access to the Student Portal
https://class.sensepost.com/register/xxx
Note:
● Please make sure that you
an accessible email account
is used to register.
● Would be needed should a
password reset be required.

4 Confidential
Access to the Student Portal

5 Confidential
Access to the Student Portal

6 Confidential
Access to the Student Portal

7 Confidential
Access to the Student Portal

8 Confidential
Access to the Student Portal

9 Confidential
Overview of Workshop

Hands On

Practical
Application

Use Cases

10 Confidential
API Deployment and Access

11 Confidential
 Philosophy

12 Confidential
Unpack “The Target”

13 Confidential
 Exercise

14 Confidential
The Evil Bit

15 Confidential
Explore
● Create attack trees to breach the target
○ The Castle
● Develop mitigation strategies to prevent the
attack
● Start defensive thinking
○ Situational Awareness (Be aware of your
surroundings)

16 Confidential
Content

17 Confidential
 Concepts

18 Confidential
API System Breakdown

19 Confidential
Example – Restaurant (Processes)

20 Confidential
Example – Restaurant API
End Point Description

/order/burger/{id} Please order for specific burger

/waiter/status/{orderID} Retrieve the status of an order that was

placed

/waiter/placeOrder/ Create a new order

/waiter/cancelOrder/{orderID} Cancel an order that was placed

21 Confidential
API Protocols
● REST
● SOAP
● GraphQL
● gRPC
● Microservices

22 Confidential
REST (Representational State Transfer)

23 Confidential
SOAP (Simple Object Access Protocol)

24 Confidential
GraphQL

25 Confidential
gRPC (gRPC Remote Procedure Calls)

26 Confidential
Microservices

27 Confidential
Practical application of an API
● Public Open API
● APIs exposed to the public at no cost
● Provides developers with programmatic access to a
proprietary software application or web service
● Examples:
● https://github.com/public-apis/public-apis#open-data
● https://any-api.com/

28 Confidential
Practical application of an API

29 Confidential
Practical application of an API

30 Confidential
 Exercise

31 Confidential
Explore
● Create a use case whereby a public API will be
used to provide a service for a business need

32 Confidential
Another practical application of an API

33 Confidential
Another practical application of an API

34 Confidential
Swagger (https://petstore.swagger.io/)

35 Confidential
Recap
● What is an API and an endpoint?
● API Architecture
● Practical use of APIs
● Public APIs
● Swagger

36 Confidential
 Testing
Environment
37 Confidential
Testing Environment

38 Confidential
Burp

39 Confidential
Postman

40 Confidential
Proxy

41 Confidential
 Exercise

42 Confidential
Explore
● Import the Postman file for “Cat Facts API”
● https://documenter.getpostman.com/view/1946054/S1
1HvKSz
● Make the calls to the respective endpoint
● Capture the calls in Burp

43 Confidential
Recap
● Use of tooling
● Setup testing environment
● Capture request made to a target endpoint

44 Confidential
 Under the
hood
45 Confidential
Testing Environment

46 Confidential
API Code

47 Confidential
API Code

48 Confidential
HTTP Communication

49 Confidential
Request Header

50 Confidential
Request Header
Header Purpose

Host Represents the domain name of the

server
Content-Length Indicates the size of the message body,
in bytes, sent to the recipient.
Expires Contains the date/time after which the
response is considered expired.
User Agent String that identifies the application,
operating system, vendor, and/or version
of the requesting user agent.
51 Confidential
Header – User Agent Bypass

52 Confidential
Header – User Agent Bypass

53 Confidential
API Keys (X-Api-Key)

54 Confidential
Header – Injection Attack

55 Confidential
Header – Injection Attack

56 Confidential
 Exercise

57 Confidential
Header – Security Considerations

58 Confidential
Explore
● Unlock the API ● HTTP Security Headers
● Configure Postman, ● Host Headers
Burp and cURL as a ● Changing User Agent to
Communication access API Endpoint
Channel
● API Keys (X-Api-Key)
● Using HTTP Methods
to manage API ● Host Header Injections
endpoints ● Resources for Workshop
● HTTP Return Codes
59 Confidential
Recap
● Understand the testing environment
● Describe the backend endpoint
● Discuss the request header
● Modify the request header to evaluate the
impact thereof

60 Confidential
 Abusing APIs

61 Confidential
 WordPress Fun

62 Confidential
WordPress
● Content management system (CMS) that allows to host
and build websites
● WordPress contains plugin architecture and a template
system
● Customize to fit business requirements
● Blog, portfolio, or online store.

63 Confidential
WordPress

64 Confidential
API Abuse - WordPress
●Wordpress Users Disclosure (/wp-json/wp/v2/users/) -
https://hackerone.com/reports/356047
● Denial of service to WP-JSON API by cache poisoning
the CORS allow origin header -
https://hackerone.com/reports/591302
● xmlrpc.php FILE IS enable it will used for Bruteforce
attack and Denial of Service(DoS) -
https://hackerone.com/reports/752073

65 Confidential
Targeting WordPress using WPScan

66 Confidential
 JSON Web Tokens

67 Confidential
JWT
● Portable, industry-standard identity tokens
● Used to identify a user and grant access to resources
● JSON web tokens (JWTs) claims are pieces of
information asserted about a subject. For example
(“Identity”,”id”)
● Used for Authentication, Authorization and Information
Exchange

68 Confidential
JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ
9.eyJqdGkiOiJhMTcyMmE5Yy0yMDgzLTQzN
mEtYWUwMS02MmQ5ZDlmOWE3MTkiLCJleHAi
OjE2MTQ3ODg0MDIsImZyZXNoIjpmYWxzZSw
iaWF0IjoxNjE0Nzg3NTAyLCJ0eXBlIjoiYW
NjZXNzIiwibmJmIjoxNjE0Nzg3NTAyLCJpZ
GVudGl0eSI6IjEwMDAifQ.1hSGe3wK_Bm-c
GjLJ_QVTFP4V-uh9myOk3gtvmMi6gw

69 Confidential
JWT

70 Confidential
JWT

71 Confidential
JWT

72 Confidential
JWT - Revocation Strategy
● Once JWT issued, no further communication
will be needed with the identity server →
decentralization
● Token
– Pieces of data that carry just enough
information to determining a user's identity
– Authorizing a user to perform an action
– Valid until expires
● Refresh Token
– Refresh token in process to expire
73 Confidential
JWT - Revocation Strategy

74 Confidential
JWT - Revocation Strategy
● Set short period (Time To Live) for JWT
– Between 5 - 10 min max
● Revoking the refresh token
– User can't generate a new token
– Between 20 - 25 min

75 Confidential
 JavaScript Object
Notation (JSON)
Parser

76 Confidential
 JSON Parser
● JSON
– Data-interchange format and
language independent
– Plain text written in JavaScript
object notation
– Used to send data between
computers
– Parser Extracts Data from the
JSON file
– Could contain vulnerabilities
– Extract data differently
●

77 Confidential
JSON Parser
{
"id": "0001",
"type": "server",
"name": "DB01",
"IP": "192.168.10.101",
"users":
{
"administrators":
[
{ "username": "P1001", "status": "locked" },
{ "username": "P1002", "status": "active" }
]
},
"logs":
[
{ "id": "5001", "info": "Credential failure from P1001" },
{ "id": "5002", "info": "Reboot" },
{ "id": "5005", "info": "Login from P1001" },
{ "id": "5007", "info": "Password changed of P1002" }
]
}
78 Confidential
JSON Parser (Key Precedence)

79 Confidential
 Business Logic
Vulnerabilities

80 Confidential
Business Logic Vulnerabilities
● Abusing the legitimate processing flow of an
application in a way that results in a negative
consequence to the organization
● Intention is to perform specific order
– Step 1, 2, 3 (Intention)
– Step 1 → 3 (How does application react?)
● Examples
– Modify amount send to payment gateway
– Client-side control modification
– Account lockout on shared account
● 81 Confidential
Business Logic Vulnerabilities

82 Confidential
Business Logic Vulnerabilities

83 Confidential
Explore
● Business Logic Vulnerabilities
● Abusing JSON Web Tokens (JWT)
● JavaScript Object Notation (JSON) Parser
● Exploit the WordPress API
● Extra:
– Identify the users of the WordPress site
– Attempt to retrieve the passwords of the users

84 Confidential
Recap
● Use of JWT
● Abuse JWT
● Exploit WordPress API
● Enumerate a WordPress Site
● Business Logic Errors
● JSON Parser Issues

85 Confidential
 API Recon

86 Confidential
API and Endpoints

87 Confidential
Endpoint Enumeration
● Identify endpoints ● ffuf (Golang)
● Use of wordlists ● wfuzz (Python)
● Documentation ● dirsearch (Python)
● Attempt to ● Gobuster (Golang)
enumerate
undocumented ● rustbuster (Rust)
endpoints
● feroxbuster (Rust)

88 Confidential
Using ffuf

89 Confidential
Wordlists

90 Confidential
 Building Wordlists

Tooling to
Build
Create a Wordlists
profile of the • Cewl
target • Crunch
• Mentalist
• Do recon
Pre-built about the • Scripts
wordlists target
• OSInt
• Lateral
91 Confidential Thinking
 Building Wordlists

92 Confidential
 Building Wordlists

93 Confidential
 Exercise

94 Confidential
Explore
• Create a single wordlist from at
least 3 public sources
• Add your own wordlist using Cewl
and Crunch

95 Confidential
Recap
● Creating wordlists
● Enumeration of endpoints
● Use of tools to enumerate endpoints

96 Confidential
 Methodology

97 Confidential
High Level Methodology

98 Confidential
Vulnerabilities in System Components
• Server
○ Apache HTTP Server 2.4.49
■ Path Traversal & Remote Code Execution (RCE)
○ PHP 8.1.0-dev
■ 'User-Agentt' Remote Code Execution
• Communication Channel
○ SSL Issue
■ BEAST Attack → Attackers to capture and decrypt
HTTPS client-server sessions and obtain
authentication tokens
○ HTTP → Unencrypted Data
99 Confidential
Vulnerabilities in System Components

100 Confidential
Vulnerabilities in System Components

101 Confidential
Vulnerabilities in System Components

102 Confidential
Vulnerabilities in System Components
Web Security Testing Framework:

● Test HTTP Methods

● Test User Registration Process
● Testing for Host Header Injection
● Fingerprint Web Application
Framework
● Testing for Cookies Attributes

103 Confidential
Thank You
[email protected]

https://cyberdefense.orange.com
Additional Resources
● https://www.wallarm.com/what/how-to-hack-api-in-60-minutes-
with-open-source
● https://github.com/arainho/awesome-api-security
● https://portswigger.net/web-security
● https://owasp.org/www-project-api-security/
● https://www.neuralegion.com/blog/api-security/
● https://apisecurity.io/
● https://www.youtube.com/watch?v=fvcKwUS4PTE
● https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
● https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-fin
d-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-downl
oad/

105 Confidential