Pen Testing a API

security icons over computer

Written by

May 4, 2020

This tutorial is for web dev or IOT who would like to know more about API security.

Content Overview

  • Overview of past vulnerability
  • A example Pen Test
  • How to build a secure API

  • Getting API endpoints
  • Fuzzing parameters
  • Subdomains
  • Postman
  • Burpsuite
  • Video Version

A Past vulnerability

Nissan leaf API

The Vulnerability we will go over is the Nissan leaf API that didn’t check the authentication of the request.

The API powered a mobile application for your car to allow a user to check the heating, turn on the heater and check the battery. The API allowed a hacker to access the controls of a Nissan leaf connected to the system across the world.

This Vulnerability, unfortunately, is not that uncommon.

 In many cases, the endpoint is only secured by client-side code.

We should always presume the user is malicious and can bypass any security we set on their side.

The write-up can be found here.

WordPress 4.0.1

Fuzzing is another type of exploit is giving the API unexpected Data—for example, numbers instead of strings, malformed dates, negative numbers and more called Fuzzing.

This technique is called fuzzing, as these params are fed into API and can cause expected results.

The params we send interact with the system database and even the environment.
This can lead to remote code to execute or to access or modify data we should not be able to.

One example is WordPress 4.0.1, where a hacker could make a malformed ID param of an API request to modify any post on the website.

How to build a secure API

I have set up WordPress 4.0.1 locally. We will use this to demonstrate how to go about a penTest using the Burp Suite.

Burpesuit is an application used to explore web security by recording API requests and allowing users to edit, repeat, and decode API requests quickly.

To follow along.

  • Set up WordPress 4.7.1
  • Install BurpeSuite
  • Add a proxy to your browser to run through BurpeSuite.


    We will now use the website normally to allow burpeSuite to build an extensive Sitemap.


    We will presume the system is not open-sourced, and therefore, we do not have access to the source code.


    We can use standard API endpoints wordlist to ping the webserver to see endpoints hidden behind the author’s other functionality.


    We will allow trying to determine the tech stack of the website using Netstat and other online tools.


    This is critical as a backend written in PHP should be targeted differently to one written in node.


    If we know the API is in PHP, we can research common libraries the API is likely using based on its params and functionality and leverage these exploits.


    Even if an API is made with security in mind, it is still built on libraries and uses other API runs on a web server potentially running with other services on an OS. There is plenty of attack surface.

    No system is safe.

    Fuzzing the API

    Select an endpoint in the sitemap of burpeSuite and send it to the intruder.

    We can select from many options given to use from burpeSuite. However, we will use sniper and change only one param to keep it simple.

    An endpoint we will fuzz in WordPress is the edit page which takes the ID, action, data and cookies authenticating the request.

    Here we will fuzz the action as the API may have an evasive action on a page that does not require privileges or doesn’t check.

    We will use this wordlist

    We repeatedly sent the same request with only the action param changed.

    After which, we have a list of responses that we can send to the computer. To analyse more and check for any differences that may indicate actions that are accepted.

    Trying to hit uses cases the system developers did not test for or secure is the aim of pen-testing.

    With the next Vulnerability, we will research Fuzzing could have discovered the exploit.

    It is in WordPress API

    In the endpoint

    // This will fail without permissions

    Is a function that allows a user to get or update a post with the given ID
    However, the function takes two ID, the ID in the path but also an ID as a parameter

    // This will fail without permissions

    The exploit comes from when to put the parameter ID concatenated with some characters as such

    // This will succeed without permissions

    This is due to

    This is due to WordPress casting the the ID to a int.

    You May Also Like…

    Website Security Guide

    Website Security Guide

    Your website is at risk. I’m not saying this to try and scare you, but that’s the reality of the world we live in....

    Scrapy advanced

    Scrapy advanced

    Scrapy advanced As most of the tutorials on Scrapy focuses on beginner code.  So I...

    How much does Web Scraping cost?

    How much does Web Scraping cost?

    Web scraping can unlock a whole world of data. And with all that data, also comes a lot of value. You can use this...


    Submit a Comment

    Your email address will not be published.

    Cryt logo blue

    Subscribe To Our Newsletter

    Join our mailing list to receive the latest news and updates from our team.

    You have Successfully Subscribed!