Pen Testing a API

security icons over computer

Written by adam

Founder of Cryt

May 4, 2020

This tutorial is for web dev or IOT who would like to know more about API security.

Content Overview

  • Overview of past vulnerability
  • A example Pen Test
  • How to build a secure API
  • getting API endpoints
  • Fuzzing params
  • subdomains
  • Postman
  • Burpsuite

A Past vulnerability

Nissan leaf API

The vulnerability we will go over is the Nissan leaf API that didn’t check the authentication of the request.

The API powered a mobile application for your car to allow a user to check the heating, turn on the heater and check the battery. The API allowed a hacker to access the controls of a Nissan leaf connected to the system across the world.

This vulnerability, unfortunately, is not that uncommon.

As in many cases, the endpoint is only secured by client-side code for example Javascript on a webpage but isn’t checked on the server-side..

We should always presume the user is malicious and can bypass any security we set on their side.

The write-up can be found here.

https://www.troyhunt.com/controlling-vehicle-features-of-nissan

WordPress 4.0.1

Fuzzing is another type of exploit is giving the API unexpected Data. For example, numbers instead of strings, malformed dates, negative numbers and more.

This is called fuzzing as theses params are fed into API and can cause expected results.

The params we send interact with the system database and even the environment.

This can lead to remote code to execute or to access or modify data we should not be able to.

One of these examples is WordPress 4.0.1 where a hacker could make a malformed ID param of an API request to allow modification of any post on the website.

How to build a secure API

I have set up WordPress 4.0.1 locally we will use this to demonstrate how to go about a penTest using burpeSuite.

Burpesuit is an application that is used to explore web security, by recording API requests and allow users to edit, repeat and decode API requests quickly.

To follow along.

  • Set up wordpress 4.7.1
  • Install burpeSuite
  • Add a proxy to your browser to run through burpeSuite

reconnaissance

We will now use the website normally to allow burpeSuite to build a extensive Sitemap.

We will presume the system is not open sourced and therefor we do not have access to the source code.

We can use common API endpoints wordlist to ping the websever to see endpoints that may be hidden behind auth or other functionality.

https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d

We will allow try to determine that tech stack of the website using netstat and other online tools.

This is criicial as a backend written in PHP should be targeted differnetly to one written in node.

A example being if we know the API is written in PHP we can research common libaries the API is likely using based on its params and functionality and leverage theses exploits.

Even if a API is written with secuirty in mind. It is still built on libaries, uses other API runs on a web server that is potentionly running with other services on a OS. There is plenty of attack surface.

No system is safe

Fuzzing the API

Select a endpoint in the sitemap of burpeSuite and send to the intruder.

In the intruder we can select from many options given to use from burpeSuite however to keep it simply we will use sniper and change only one param.

A endpoint we will fuzz in wordpress is the edit page which takes the ID, action, data and cookies authenticating the request.

Here we will fuzz the action as the API may have a obsurce action we can do on a page that does not require privelages or dosn’t check.

We will use this wordlist

https://github.com/chrislockard/api_wordlist/blob/master/actions.txt

We repeatly sent the same request with only the action param changed.

After which we have a list of responses that we can send to the comperer. To anaylise more and check for any differneces that may indicated actions that are accepted.

This process of trying to hit uses cases the system developers did not test for or secure is the aim of pen testing in whole.

With the next Vunerabilty we will research fuzzing could have discovered the exploit.

Is in wordpress API https://developer.wordpress.org/rest-api/

In the endpoint

 wp-json/wp/v2/posts/1
// This will fail without permissions

is a function that allows a user to get or update a post with the given ID

However the function takes two ID, the ID in the path but also a ID as a paramerter

 /wp-json/wp/v2/posts/1?id=1
// This will fail without permissions

The exploit comes from when to put the put the parmerater ID concated with some characters as such

 /wp-json/wp/v2/posts/1?id=1a
// This will succeed without permissions

This is due to

This is due to wordpress casting the the ID to a int.

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This

Share this post with your friends!