This tutorial is for web dev or IOT who would like to know more about API security.
- Overview of past vulnerability
- A example Pen Test
- How to build a secure API
- getting API endpoints
- Fuzzing params
A Past vulnerability
Nissan leaf API
The vulnerability we will go over is the Nissan leaf API that didn’t check the authentication of the request.
The API powered a mobile application for your car to allow a user to check the heating, turn on the heater and check the battery. The API allowed a hacker to access the controls of a Nissan leaf connected to the system across the world.
This vulnerability, unfortunately, is not that uncommon.
We should always presume the user is malicious and can bypass any security we set on their side.
The write-up can be found here.
Fuzzing is another type of exploit is giving the API unexpected Data. For example, numbers instead of strings, malformed dates, negative numbers and more.
This is called fuzzing as theses params are fed into API and can cause expected results.
The params we send interact with the system database and even the environment.
This can lead to remote code to execute or to access or modify data we should not be able to.
One of these examples is WordPress 4.0.1 where a hacker could make a malformed ID param of an API request to allow modification of any post on the website.
How to build a secure API
I have set up WordPress 4.0.1 locally we will use this to demonstrate how to go about a penTest using burpeSuite.
Burpesuit is an application that is used to explore web security, by recording API requests and allow users to edit, repeat and decode API requests quickly.
To follow along.
- Set up wordpress 4.7.1
- Install burpeSuite
- Add a proxy to your browser to run through burpeSuite
We will now use the website normally to allow burpeSuite to build a extensive Sitemap.
We will presume the system is not open sourced and therefor we do not have access to the source code.
We can use common API endpoints wordlist to ping the websever to see endpoints that may be hidden behind auth or other functionality.
We will allow try to determine that tech stack of the website using netstat and other online tools.
This is criicial as a backend written in PHP should be targeted differnetly to one written in node.
A example being if we know the API is written in PHP we can research common libaries the API is likely using based on its params and functionality and leverage theses exploits.
Even if a API is written with secuirty in mind. It is still built on libaries, uses other API runs on a web server that is potentionly running with other services on a OS. There is plenty of attack surface.
No system is safe
Fuzzing the API
Select a endpoint in the sitemap of burpeSuite and send to the intruder.
In the intruder we can select from many options given to use from burpeSuite however to keep it simply we will use sniper and change only one param.
A endpoint we will fuzz in wordpress is the edit page which takes the ID, action, data and cookies authenticating the request.
Here we will fuzz the action as the API may have a obsurce action we can do on a page that does not require privelages or dosn’t check.
We will use this wordlist
We repeatly sent the same request with only the action param changed.
After which we have a list of responses that we can send to the comperer. To anaylise more and check for any differneces that may indicated actions that are accepted.
This process of trying to hit uses cases the system developers did not test for or secure is the aim of pen testing in whole.
With the next Vunerabilty we will research fuzzing could have discovered the exploit.
Is in wordpress API https://developer.wordpress.org/rest-api/
In the endpoint
wp-json/wp/v2/posts/1 // This will fail without permissions
is a function that allows a user to get or update a post with the given ID
However the function takes two ID, the ID in the path but also a ID as a paramerter
/wp-json/wp/v2/posts/1?id=1 // This will fail without permissions
The exploit comes from when to put the put the parmerater ID concated with some characters as such
/wp-json/wp/v2/posts/1?id=1a // This will succeed without permissions
This is due to
This is due to wordpress casting the the ID to a int.