This tutorial is for web dev or IOT who would like to know more about API security.
- Overview of past vulnerability
- A example Pen Test
- How to build a secure API
- Getting API endpoints
- Fuzzing parameters
- Video Version
A Past vulnerability
Nissan leaf API
The Vulnerability we will go over is the Nissan leaf API that didn’t check the authentication of the request.
The API powered a mobile application for your car to allow a user to check the heating, turn on the heater and check the battery. The API allowed a hacker to access the controls of a Nissan leaf connected to the system across the world.
This Vulnerability, unfortunately, is not that uncommon.
In many cases, the endpoint is only secured by client-side code.
We should always presume the user is malicious and can bypass any security we set on their side.
The write-up can be found here.
Fuzzing is another type of exploit is giving the API unexpected Data—for example, numbers instead of strings, malformed dates, negative numbers and more called Fuzzing.
This technique is called fuzzing, as these params are fed into API and can cause expected results.
The params we send interact with the system database and even the environment.
This can lead to remote code to execute or to access or modify data we should not be able to.
One example is WordPress 4.0.1, where a hacker could make a malformed ID param of an API request to modify any post on the website.
How to build a secure API
I have set up WordPress 4.0.1 locally. We will use this to demonstrate how to go about a penTest using the Burp Suite.
Burpesuit is an application used to explore web security by recording API requests and allowing users to edit, repeat, and decode API requests quickly.
To follow along.
- Set up WordPress 4.7.1
- Install BurpeSuite
- Add a proxy to your browser to run through BurpeSuite.
We will now use the website normally to allow burpeSuite to build an extensive Sitemap.
We will presume the system is not open-sourced, and therefore, we do not have access to the source code.
We can use standard API endpoints wordlist to ping the webserver to see endpoints hidden behind the author’s other functionality.
We will allow trying to determine the tech stack of the website using Netstat and other online tools.
This is critical as a backend written in PHP should be targeted differently to one written in node.
If we know the API is in PHP, we can research common libraries the API is likely using based on its params and functionality and leverage these exploits.
Even if an API is made with security in mind, it is still built on libraries and uses other API runs on a web server potentially running with other services on an OS. There is plenty of attack surface.
No system is safe.
Fuzzing the API
Select an endpoint in the sitemap of burpeSuite and send it to the intruder.
We can select from many options given to use from burpeSuite. However, we will use sniper and change only one param to keep it simple.
An endpoint we will fuzz in WordPress is the edit page which takes the ID, action, data and cookies authenticating the request.
Here we will fuzz the action as the API may have an evasive action on a page that does not require privileges or doesn’t check.
We will use this wordlist
We repeatedly sent the same request with only the action param changed.
After which, we have a list of responses that we can send to the computer. To analyse more and check for any differences that may indicate actions that are accepted.
Trying to hit uses cases the system developers did not test for or secure is the aim of pen-testing.
With the next Vulnerability, we will research Fuzzing could have discovered the exploit.
It is in WordPress API https://developer.wordpress.org/rest-api/
In the endpoint
wp-json/wp/v2/posts/1 // This will fail without permissions
Is a function that allows a user to get or update a post with the given ID
However, the function takes two ID, the ID in the path but also an ID as a parameter
/wp-json/wp/v2/posts/1?id=1 // This will fail without permissions
The exploit comes from when to put the parameter ID concatenated with some characters as such
/wp-json/wp/v2/posts/1?id=1a // This will succeed without permissions
This is due to
This is due to WordPress casting the the ID to a int.