AlbusSec:- Penetration-List 12 API Vulnerabilities — Sample
Hi Information Security folk, I hope you liked my previous article that was on Cross-Origin-Resource-Sharing(CORS) Misconfiguration. However, Today We’ll learn about API vulnerabilities. But In this article, I’ll teach you basic stuff for API not deep because After completing Penetration-List. then I’ll start the API penetration testing articles series, I’ll take you deep on API Pentesting before We’ve started, and I will introduce myself. So, I’m Aniket Tyagi, an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher, and the founder of Albus Security. Without wasting our energy, Let’s get started.
Application Programming Interface(API)
Before We go to test any web application, android, API, etc. You know the meaning of making those things. This means You have strong knowledge about a particular technology that how It’ll form, how it’ll work, and what the backend mechanism of that technology is, because whenever your know the backend process, then you really enjoy the functionality of that technology, then you really go for finding quality vulnerabilities. However, Whenever humans interact with applications, it requires graphical mean user interface components that have a screen with a menu and graphical elements, that control by the user. But An application doesn’t need a graphical user interface to communicate with other applications. therefore applications will communicate with each other via machine-readable interfaces and that is APIs ( Application programming interfaces).
An Application programming interface (API) is a set of programming codes that enables the medium that provides the data transmission between one application to another. It also contains the terms of this data exchange. We can create an API for an operating system, database system, hardware system, JavaScript file, or similar object-oriented files. API is a similar copy of a GUI, but not a mirror copy. because A GUI helps to make a program understandable for the user. and An API helps to communicate the software to another.
Let’s take an example- You may be familiar with the process of booking hotels online. You choose the best room, date, and other variables. To book your room. you interact with the particular hotel website. and process the basic work. However, what if you are not using that hotel’s website. therefore How You’ll connect with that hotel’s website. Is other any other medium that helps you to connect with? So Most of the time You’ll book hotels using an online hotel booking service, such as hotels.com, trivago, etc. In your mind, a question arises about how that service access that particular hotel database to see their information. The answer was simple. that hotel booking server will interact with that particular hotel API. We know that the API is the medium that provided a piece of information from their database. In this case. that service will interact with their API to get information from the hotel database to book rooms, data, etc.
The types of API:-
Public API:- A API is used over the web and can be easily accessed using HTTP protocols. A Public API is an open-source interface and can be used by a large number of clients.
Private API:- A API is not used over the web, it is organized internally for use by the specific company’s tech team to improve its products and services. A private API is not accessible over the web, or not shared with third parties.
Partner API:- A API is used by specific third parties(like hotel-booking-service) with whom the company agreed to share data.
The types of API protocol:-
API was introduced with a set of calls and techniques which are helpful for developers because it’ll easily integrate them into their applications.
SOAP (SIMPLE OBJECT ACCESS PROTOCOL):- SOAP API is an API that uses XML for its message format and receives requests through HTTP or SMTP. SOAP makes it easier for applications running in different environments to share information with each other.
REST(Representation State Transfer):- It makes use of HTTP to GET, POST, PUT or Delete data. Basically, REST API is not a protocol. Yes, because REST API follows a client-server architecture and must be stateless. Mean communication implies that no client data is stored between getting Requests. Rest API assigns every operation a unique URL, so when the server receives a request. and it sends the response in which it’ll fulfill the request requirement.
Using an Application programming interface(API) adds another layer of surface which makes it vulnerable and is the easiest way for malicious hackers who want access to data or might gain control of an application. However, let’s discuss some vulnerabilities. because API is not a small thing therefore I’ll make different series for API penetration testing. However, In this article, We’ll discuss some vulnerabilities, not all.
Broken Object-Level Authorization:-
Is similar to IDOR. Because BOLA is arising as the result of improper access controls, Mean when an application does not check that the user performing the particular request has the privileges to access a resource of another user. In the Same way, IDOR Vulnerability were happen, Basically, IDOR and BOLA are the same. let’s make it simple, I’ll try to explain this vulnerability. Suppose You go shopping, then You purchase a ball, then the shopkeeper will give you a bill, and on that bill, they will assign bill id that 1, and they will not check anything like a product, money, etc. therefore Whenever you change the bill id from 1 to 2, and go back to that shop, and ask for a refund. so the shopkeep only sees the bill’s id, whenever that shopkeeper confirms that product, he’ll give a refund for that product suppose that product is a car. then it really huge harm to the shopkeeper. So it’s an example to you about BOLA. now let’s take an application example.
Suppose an API has the functionality to retrieve a user's chat logs based on their user ID
https://api.albussecurity/v2/chatslog?id=1
An application doesn’t implement any additional identity in the Request. and it returns the requested data, therefore an attacker can brute force a userId and steal a huge amount of chat log. So, We know that this type of vulnerability arises when an application doesn’t implement access control on this endpoint.
https://api.albussecurity/v2/chatslog?id=200
it’s similar to the above example. A shopkeeper is similar to an application that doesn’t check anything, and whenever A user will give an id then it will give a refund, or mean information.
Injection Vulnerabilities:-
Injection vulnerabilities have occurred whenever an application doesn’t filter the input and accept that value, then process with unfiltered value therefore an application faces a numberless problem, any malicious activity can execute malicious action to harm the server. Injection attacks can be used for a variety of purposes such as SQLi, SSTI, XXE, and Command Injection. Commonly Injection vulnerabilities also affect APIs, it’s a plus point for attackers because an API is an alternative way to execute malicious values from vulnerable parameters. We gonna learn SQL Injection for example.
Suppose an API allows users to retrieve student details by sending a request
https://api.albussecurity/v2/student?id=1
Whenever an API received a request. then it’ll send an SQL query to the database to retrieve the student information.
SELECT * FROM Student WHERE id=1
Suppose Whenever an attacker will enter some malicious instead of only id.
https://api.albussecurity.com/v2student?id=1'%dfsleep(30)--+
So We know that server is vulnerable to SQL, therefore it will wait for 30 seconds, And also %df this used to bypass \ . Reason Sometimes Server will add \ to protect itself from injection vulnerabilities. It’s all about SQL injection attacks, If you know about SQL injection then You’ll definitely understand this, otherwise, You can’t understand. therefore If you want to learn about sqlI, then must see SQLi writeups. Note that user input in an API doesn’t always in url, therefore You’ll try injection vulnerabilities via POST, Also header, and cookies.
So finally it’s done for today, but it’s not all for API Penetration testing. But I’ve started the API-Penetration-Testing Series. On there You’ll learn offensive or defensive approaches for API testing. The introduction has been linked below, Kindly visit it. Therefore Very Soon I’ll publish the “Penetration List” Book In which you’ll get depth knowledge about Vulnerabilities. Because I’ll upload topics as a sample on medium, not a proper section. Thank You For Reading.
You can download a sample of the book:-
