Intro to API Hacking

uh we do a lot of web app pen test API pin tests also do red team assessments things like that kind of full full range of things right uh recently got my master's degree in information security engineering from Sans so if anybody has any questions about that msisc program feel free to ask um also got some certifications if you care about that stuff if you don't just pretend like I'm a cool kid okay so here's the kind of table contents what we're going to be talking about today so whenever we talk about apis there's a couple things that go into that too right so we're going to talk about the basics of HTTP and then also

some basics of API so we kind of understand how attacks work right so just understanding the attacks is nice but understanding how things work you know on a fundamental level is really going to help you understand how to hopefully prevent or at least maybe even perform some of these attacks so we'll also talk about tools you need for this and then uh we'll go through the 2019 O wasp API top 10 lists and then we'll lastly talk about some learning resources so starting with the basics who's familiar with HTTP who's used HTTP today good good that's good this is an HTTP request does this terrify anybody just me a couple more okay that's fine right so this is what it's kind of hard

to see maybe from from from a distance I do have these slides up on my LinkedIn and Twitter for a couple days so act now you know if you want to get them but this is what an HTTP request looks like whenever we look at a couple things that highlighted area there is the HTTP method you're normally going to see you get majority of the time because receiving data also puts posts head which is kind of like just the header of the HTTP headers themselves not actual data patch options all kinds of other goodies right so it's kind of what goes into that another section here is the host header which is going to need to be there on

anything I think above HTTP 1.1 and higher and then cookies anybody like cookies me too delicious right even the digital kind so we'll talk more a little bit about why cookies matter you know and how things kind of play into that aspect but that's kind of an HTTP request so hopefully if you throw request you know and something's actively listening you'll get a response back so this is what a response looked like less terrifying yes couple things to look at here it's going to reiterate kind of before this underlined area you know what you know um protocol you're running so this is HTTP 101 this is a 200 status which is okay right it may not say okay but if

you get a 200 status that's good there are some other response codes 100 response codes are like informational you know they may tell you info about kind of the the response 200s are good 300s are usually like redirects not necessarily a bad thing right but say you go to a page and you need to log in it may give you a 301 or a 302 to a you know login portal or redirect page so 400s not really that great client-side issues they say client-side sometimes like um you know you're not authorized to see content right or something like that 401s 403s 404s file not found stuff like that then 500s those are fun we'll actually run into a 500 response later

whenever we're talking about an attack um just to kind of show what that may look like in the wild so another thing too sometimes the server will respond with actual valuable information you know potentially what process is running or what the application's running sometimes this is fake I've actually ran into one for fun that said it was running on a Commodore 64 which I don't I don't believe and really at that point as an attacker I'm like these people probably aren't messing around defensively right like I'm probably I'm in a hornet's nest so another thing too is sometimes if you do like the options header you know whenever you send things like the options verb or the method

um you'll come back with like a loud uh methods right so the server will tell you hey I'll I'll get you can use a git ahead or options this one was kind of interesting this actually came back on just a get request so I wasn't necessarily asking but the server is like hey by the way here's what we take so it's kind of looking at HTTP requests and responses right so whenever we start talking about apis there's a lot of different types of API architectures out there um restful and graphql or some of the most common ones we run into whenever we're doing testing so restful apis sometimes are kind of hard to find if you're trying to discover these on

your own because they have many different endpoints right you may have one for authentication you could have one for like a user dashboard like maybe a forum page you know posts kind of items like that graphql um kind of easier to find it's just one endpoint so there's a lot of different kind of queries that can go into that most of the time it's found at the URI just slash graphql which is nice right you can find them there then you can do like introspection queries or other things to find out what actually works against the against the API some of the older ones we see sometimes like we had recently a test come up for a soap API

and I'm like okay it's been a while has anyone ever heard of soap before oh that's good conferences it's good to use soap before you come I'm sorry you had to use soap before you come in right so other kind of lesser common ones some RPC ones don't I don't really see these too often nowadays so whenever we talk about apis we want to talk about authentication to apis so authentication is the process of verifying an identity right has nothing to do with what you can do with that identity right it's just saying who you are it's like proving who you are right so authentication when we talk about that is not authorization not the same

so different kinds of authentication you can see at the bottom left there you can see like basic auth and it may be kind of hard to see but you'll see at this authorization section here it's got some uh crazy base64 looking font or text the basic authentication to all it is is you know the username colon password base64 encoded so you can kind of see that down here if you Echo that back in base64 to decode that this one's a really good username and password it's just username and password right so kind of an example of what that looks like if you see that so if you actually are able to maybe proxy traffic from you know a client

into yours and you see basic authentication you may have some um some credentials to use another place sometimes authentication place is inside a cookie value which we talked earlier cookies are delicious but here's one they don't always have to say you know API tokens sometimes they can say just weird things because sometimes developers think they're funny maybe or they saw something on Google right so they paste it in the code but that's a spot it can go sometimes it can also be a custom header on the resp on the requests so anytime you see any X header especially says API somewhere good to look at and then jwts Json web tokens see a lot of these right so it's kind of what they

look like sometimes they're Bearer tokens sometimes they're not we won't really talk a lot about that since this is an intro class and you know it's not not a ton of time so we're gonna look at some requests the request at the top left you can see it's kind of like to a longer URI it's like slash identity API V2 user dashboard it's kind of um a kind of giveaway that it may be a restful API endpoint you know and the one at the uh the bottom here anybody want to guess what that one is if you can see it graphql right it's kind of nice you can see all this craziness down here these

are kind of queries or mutations um that you can run against that but those are kind of what they look like in the wild right so if you're using like an intercepting proxy which we'll talk about in a moment you can see that are you trying to decipher my my headers don't don't hack my IPS okay these are my IPS these 192.168. don't hack them okay I trust you it was on your network so we're gonna talk about some tools that we use to kind of get into this right so the first thing you need probably a good way to look at this is browsers you know you can use Firefox Edge or even Chrome especially now that

they're chromium you know but another thing is a intercepting proxy burp Suite anybody know what the logo is at the bottom yeah there you go you know what that stands for good I forgot so Zeta Tech Pro no just kidding so now it's good it's good stuff and then the last tool we're gonna talk about today's Postman anybody who's Postman before I think it's got a cool logo so I I downloaded it and checked it out uh but now zap so all these screenshots I'm showing you are going to be in burp Suite um that's what I have it's what we run we have Enterprise licensing so it makes sense but zap is a great tool to use so definitely

something um to use so whenever we talk about browsers you know a helpful browser extension I just wanted to throw this one out here probably everyone's heard of it if you do web application testing or maybe an API testing is just foxy proxy right this thing makes managing proxy connections a lot easier you can just simply go down and select one it's kind of area on the left side shows you one that's been created right so you can send requests to burp or through Postman whatever you want to set up I even color code them something I like to do too is sometimes you'll test like an API or maybe even a site that has like multiple

authentications right like you've got a user and an admin level let me set up different browser profiles to point to different ports kind of helps out um the slide on the or the part on the right just shows you kind of what a new new one looks like right so we're going to call this one burp it's going to be running on port 8080 on another IP I don't want you to hack it's my home my home network right so one two seven zero zero one pointing back to myself right so whenever you set up a um kind of like a proxy right the whole point of that is to intercept that that traffic or to be able to look at this

traffic so this is what it'll look like when you first turned it on I'm going to tell you it's not as condensed as this normally I had to like try to fit everything in a screenshot so it looks atrocious probably worse than it would in a real environment not outside of like you know 20 by 20 pixels almost right but this is kind of what it looks like this highlighted oh actually it's not on this one this is what it looks like whenever you send a request right by default it's going to intercept on the requests and then you can manipulate that if you need to or send that on or just turn off interception entirely you

know it'll kind of run through and show it up in the HTTP history and that's what we're talking about now right so as you use um you know the browser whatever you're using to to interact with these objects items will show up in your proxy history again this is kind of like a condensed view you can see the number there's like 1067 kind of requests in there it's not always um it's not that small right you don't want to make it that small but it's hard to kind of show kind of how this looks for someone that hasn't seen burp Suite before so some of the cool features with burp suite and this is your comparable

features in zap like I said I'm just going through burp this is what we use repeater repeaters really I use it mainly for manual payload testing if I want to test this one thing right or maybe I have a couple things I want to do I'll manually manipulate those and run through and how you get to that is in this back screen here I would just right click on one of these requests and then send a send a repeater or sender Intruder but so repeater I use for you know kind of standard one-off you know manual testing if I want to do like maybe test against a whole list of of items for especially for like injection

testing I'll use that for I'll use Intruder for that find the location I want to specify which This One automatically grab this cookie and then we kind of go from there I did want to point out some helpful um kind of extender functionality so burp Suite extender is kind of like a like an extension Suite I'm gonna get a drink real quick sorry I normally sit in an office by myself by myself all day so it's hard to I talk to myself but not normally this much right so I get a little dry so whenever we're looking at burp Suite extender functionality some helpful burp extensions here uh one of one I really like is auto rise this helps automate

authorization testing right so you can send requests with uh like API headers or cookie values for certain user accounts and then you can kind of set it against a like another credential right and kind of as you're running through the application it'll automatically check against that you know so you may have one set of credentials it's for admin functionality and ones for just basic user functionality and if you set it against the other it's kind of nice to see what you know you should or should not see so when it's very helpful for researching or for searching for idors or Bolas we'll talk about those here in a moment those are not diseases by the way those are acronyms

um another helpful one is nql it's a graphql scanner Really help for like finding queries mutations and subscriptions it automatically does like introspection queries to see what the server will accept and so that's helpful for me another one too is Json web tokens and it automatically will flag jwts that are found in in requests or responses and it also has a JWT editor you can check with signatures because sometimes there may be authorization or authentication issues there which we won't really go into here just due to time but something to keep in mind foreign so who's used Postman before nice good good so this is um kind of you know whenever you open up Postman

there's different things you can create you know you can create um just HTTP requests you know basic HTTP requests like if you've got the structure you can kind of post them in there you can also kind of uh proxy stuff through this to it for to pull requests for you which is nice the thing I use a lot is the environment variables and collections which we'll talk about environment variables are nice because they work across the whole you know your whole collection that you have set up right so collection is really all your requests for one thing so if I'm looking to test a website or test an API um I'm going to have like it set up for

a whole collection I'll have everything in there if something changes because sometimes if we do tests we may not test in like a production environment we'll test like a beta you know or user like acceptance environment so those URLs may change you know as infrastructure comes up and down so it's kind of nice to be able to change those environmental variables this is uh kind of what a postman collection looks like so if you look on the left side it's the collection wide authentication right so it's got the information there and you can have you know different types of authentication you can pour there and then at the bottom right it's where the collection-wide variables come

into play so sometimes if you've got like a custom header that you need to have add on there to make it work properly you can set that there so it'll automatically update that throughout your collection this is my favorite feature is the import functionality normally if we're testing an API I'm hoping that they have uh you know good documentation for testing this thoroughly right so we can provide this another thing too is hopefully they have like maybe a postman collection for me to import so I already have everything ready to go or even like Swagger documentation so super helpful if you've got a couple different options you could import this from like a file like if there's a collection or Swagger

document you know you can pull from even folders links another one too is you can post from like a curl command too right so you can do that with the raw text feature it's kind of nice to see again my personal favorite because saves a lot of time right sometimes whenever you're paying a pen test you know time is what you're paying for right so being able to have this information lets you get kind of deeper into the API itself instead of spending some of that on documentation so here's what Postman will look like for you whenever you have a collection going if you look on the left side it's kind of where the collection is you can

see this one is named tests and there's this different kind of structure and folders in there you can see this is a post request there's some gits some other um values down here you also see at the top that's where the base URL that's an environmental variable you can change that you know in your collection and your environmental variables and have that all working and kind of makes it easier like I said to um I'll kind of update that if you need to during an assessment or during a test another thing I like to use is the postman proxy so I like to send things to burp so I have them kind of all centralized you know or burp or into zap

so if you turn this on you can easily proxy this information into you know into something else right so burpers app it's helpful also if you have Network constraints sometimes we'll test maybe like in a client's environment and we can't access certain networks without proxying through something so it's the only way we're going to be able to test right from where we're sitting so now now we know a little bit about the basics who wants to look at some fun stuff yeah all right well I'm sorry there's no fun stuff just vulnerabilities here not fun at all it depends on what side you're on right it's fun for me may not be fun if you're trying to defend these

so this is a list of the Olas API top 10 from 2019 the current lists there's a current like revision of this going on now they're accepting information for or documentation so I don't know when that'll be updated for all I know it could have been updated yesterday I didn't check so it could be this could be really old info but this is kind of what we're going to go through we're going to go through every one of these items and look kind of what a request looks like what two tests and kind of what to look for so first one broken object level access this is what we referred to earlier as Ebola right so if anybody does web

testing you may have seen idor like insecure direct object um reference there it's kind of synonymous right it's kind of funny sometimes it depends on who you talk to you can tell what they test mostly it's like oh that's Ebola oh you're an API you know test a lot of apis so a lot of times clients don't care right they just kind of want to know what the information is but it's good to know so basically a broken object that'll access this allows an API consumer which is maybe you you know the user of the API access to unauthorized resources so in this request here you can see we're looking at a workshop slash API slash mechanic mechanic report

kind of long-winded right report ID number five so if that's your account and you can access it that's fine but maybe what I would try to do as a tester is try to especially if it's an easy number like that maybe try the next number maybe try number six maybe try number one maybe try a negative number see what explodes right so it's kind of fun to do so that's what you're going to look at right you're going to look for potential IDs or numbers to look at maybe something you shouldn't have access to and then especially if they're guessable or kind of sequential in number it's a little easier so really what you want to

do is look at access look to access data that you know you shouldn't so this example here this is a response of someone else's um kind of report ID so obviously I've got the VIN number for their car so I can I can hack their car completely now with the VIN number right is that how that works but it's information I shouldn't have the second one is broken user authentication this is going to be anything to do with the authentication process at all right so this one's a little different I didn't have a really good example so kind of follow me on this one so whenever you're testing you want to look for any authentication

bypass so this one specifically is like a one-time password or one-time passcode like an OTP you know MFA kind of code so I'll say here sometimes this can come from interesting or hint older places right so if we look here we can see that we're looking at identity slash API slash auth version three and then we have a username right this is robot001 at example.com and an awesome password a password one but unfortunately it comes to like a a code check right so maybe there's an MFA it emails the user I don't have access to that user's email what am I going to do right so what there's four digits what ten thousand possibilities something like that so maybe you want to

try to Brute Force those so we try to Brute Force those unfortunately status 503. you've exceeded the number of attempts it's really unfortunate so it makes hard it makes like brute forcing a lot harder to do right because you've got this um you know potential here but sometimes it's throttling and we'll get into this here in a little bit we'll talk more about this but sometimes the throttling could be kind of low you know so you may just send 10 15 requests and it's like hey you need to slow down and that's going to be really hard especially if you try to log in again or the time or the the code's time based right you've only got a certain amount

of time to guess this code so it makes it tough so kind of what would you do so we will go back to the original request and what we're going to do is on this one let's say version two maybe in in scope two right so we just change that number V3 to V2 and maybe they didn't have like rate limiting established in the in the older version it's possible right especially if you have older versions still available so we change that to version two we run the test oh look at that it works and a 200 code means what okay right we're good so that's good then you got into that account so that's an example

of kind of like a broken user authentication one of many examples right there's tons of them anything related to user authentication not necessarily MFA bypasses that's something to keep in mind so another one um see quite a bit excessive data exposure so an API basically here it's going to respond with too much information so here we're going to make a request to community API 2 so it's like kind of to a recent post Forum you know this is Call's been made in the back end but if we look at the actual response look at all this extra data I got the title of the post which is probably good then the content that's fine the nickname of the person do we

need their email right do we need this other information we need vehicle ID do we need things like this probably not right especially if we're just looking at forums so really what you're going to look for whenever you're testing this you're going to look for any responses with excessive information so if you find information you don't need that could be vulnerable to that right and some companies have different kind of uh kind of risk tolerances for this right so obviously if it's you know sensitive information they may not care if it's you know a VIN number you know or some vehicle ID but if it's someone's you know social security number you know they hopefully should care right so

something to look at so really what you're going to ask yourself is is this data in this response relevant to what I asked so a lot of the times what API um what the apps will do is they'll kind of strip that data out they won't like Replay that or display that the application right but it comes in the response so something you're looking at to see if there's just excessive data so lack of resources or rate limiting I want to tell you I'll get to this in a second so basically this is you do not throw out a requests appropriately right a lot of apis companies monetize their apis so maybe they can't do over 100 API

requests in an hour you know maybe something like that maybe a thousand a week or something like that that's obviously not implemented correctly that's going to be an issue it's going to cost them money so they may care right but also something I want to tell you this can lead to denial of service um this like I said can also bypass API monetization like we talked about but the denial of service uh so I was testing a client once and uh I asked him if I could do rate limiting checks and like yeah yeah it's fine yeah check whatever you want I was like okay whatever I want that's great and so what I did was uh right so they

were they used AWS and I threw tons of packets I think I was throwing like 10 000 requests per second you know I had a beef machine and I this it looked cool it looked it was just flying and it never went down and I did this for maybe 30 minutes I'm like that's enough you know it's it's had enough and I stopped it service was still available I never got any 500 errors right I never got any like you know and you know too many tries too much data entry uh and I was like so I talked to him I was like hey you're you're nothing went down like but it also didn't throttle me and they're

like oh okay well hey let's check on the back end they had an auto scaling group set up in their AWS environment right and so yeah they had a pretty hefty bill but luckily we at least found out during testing right so for those that don't know Auto scaling groups like as need it depends on how they set it up right but so potentially if over 80 of a server's utilization is is triggered is going to spin up more boxes right or more instances so they didn't ever tell me how many instances there was but yeah hold on we'll call you right back and I was like yeah okay you better right and so anyway we then proceeded but I just

want to let you know if you're going to test this I mean test it on your own stuff all you want right but make sure that AWS bill they will make you pay it right or maybe but um but yeah it's just one of those things right so what I'll do if I if I test this we obviously want to make sure it's in scope uh because especially if it's a production environment not all clients have like you know production and tests you know bit Alpha Beta gamma stuff um so just make sure that they're okay with you maybe taking their stuff down and I try to like tell them now you know like for sure hey I'm going to do this

type of testing over the next 20 minutes call me you know if something goes wrong and normally it's good people have this stuff set up but it's something to keep in mind especially if you're paying that that cloud service bill right you don't want that to to blow up on you so this is what it'll look like maybe if it's implemented correctly uh you know 429 too many requests so that's okay but like I said again make sure make sure this is in scope before testing please I will not pay your your AWS bill or any other cloud service provider bill so use as intended really what you're going to do though is just look for anything like

like we showed earlier 500 response right so 429s things like that that's going to help to know and also all these services are different too right they all scale so it depends on what they're trying to sell what they're trying to use this for so maybe a thousand requests in a minute may not be a problem for a larger company right but for a smaller company that could I could totally shut them down so something to keep in mind when you look at this but it's a big issue broken function level authorization so this is like it's kind of like prevask but it's not necessarily like vertical right it could be lateral too it's like

you're using another function outside of your privilege level group right so if you're a normal user account you shouldn't be able to do admin functionality pretty basic right or if you're in finance maybe you shouldn't also you know be in marketing or so you don't even say that kind of thing right so kind of think of it that way so it can be like I said lateral or vertical this is related to authorization right not authentication this is related to directly what you have access to or shouldn't have access to foreign so you see the original requests went to a you know user slash dashboard API endpoint and the modified request goes to slash admin slash dashboard so really

you're going to look at the proxies HTTP history for potential interesting um kind of URLs or endpoints to look at and then you know maybe use some sort of word list for this too maybe it's not admin maybe it's Dev right dev1 test one something like that and to see what comes up if you access something you shouldn't then that's something you need to look at Mass assignment it's kind of a weird name for one um but this is where the server accepts additional parameters without sanitization or filtering those parameters all right so what does that mean right so let's say we're looking at the request bless you we're looking at the request and um

here's what the original request looks like and there's what the original response looks like maybe hard to see so in the original request we have like an ID of two we have a quantity of one and the status is return pinning so if anybody's guessing what I'm trying to do here is I'm going to try to send something back to a company and I wanted to show his return so I get my money back but I may want to keep the item right I mean I obviously wouldn't do that are we recording we're recording I'm not going to do that at all at all Scout's Honor that's kind of what the process is here right so you're looking here yeah

so which kind of attack

it could so the question was would this kind of um would this kind of coverage here or vulnerability cover the billion laughs attack that's what you're talking about yeah so it could it really depends on and we'll talk about this in the next slide is kind of what the the server accepts is is valid parameters right so sometimes um like this application here you can see you're actually setting it yourself it's not like a server side set right like so you're setting this as a client like yeah return pinning okay so and you've seen the response it says return or status you know return pending but I really want that money back and I really

want this item so what I would do is I would resend that request with that same parameter about Churn it to return and then watch the money come back in my bank account as the response also says returned right I wish I would have never mind I'm not going to go into that but anyway um like I said use at your own risk right uh you know within permission this is a big deal like for for shopping portals though or things like that obviously if a company is looking to make money on this this is something that has validity you know as far as testing so kind of strange right but what you're really looking for

is any unexpected values and see if you can re-change those so you may have to run these through sometimes I'll run these I'll make like maybe a custom word list of different possible statuses for items and then run those through with like a intruder you know to see if anything triggers see if anything actually changes on the back end but it's interesting to see yeah so does this include adding attributes it could it could it could so that's another possibility for like authentication bypass right like whenever you make an account you may be able to uh on like the post request to to to create the account maybe able to put is admin equals true right

I would it depends I'm going to call it a vulnerability and I'm going to call it a critical vulnerability right and that's what the client cares about right at the end of the day right but uh I would probably call it both it's it's that one specifically that one instance would be due to like user authentication bypass so that but I would sign it both because that's something easy to fix on the back end because if they because what a developer may do is you run that and they're like oh yeah we'll fix that we'll take out that is admin but other ones work right so you want to fix it fully yeah

so the question is if I found any good password repos you're talking about like not password repos but repos for these types of word lists there are specific API word lists

there are there are some yeah so there are some some good lists out there one of them is like I think the asset note list um I think it's common word list too maybe from asset notes a good one there's also some in uh in Kite Runner which is more of an API Discovery kind of um but there's some of the kites that are in there have some some good lists in there yeah good question uh went ahead too far I got trigger happy I'm sorry now we're on security configuration so this is kind of run of the Gambit stuff right it's not just you know it's kind of like authentication anything any by any authentication issue

is going to come back to you know authentication issues this any other Security misconfigurations will be kind of lumped in here right so you're going to look for things like verbose error messages like sometimes you may put like let's say a weird parameter or weird um like keyboard input into a parameter and it'll throw back to you you know a stack Trace here and it's got the full list of you know where the the program's running on the server things weird things happen so something to look at there that's possibility one sometimes unnecessary HTTP methods like if it shouldn't be a posts but it accepts posts that could be an issue and then other things too

um but kind of lead to different types of attacks right so sometimes in this example we're looking at it tells us what version what application is running right this may be accurate it may not be accurate it depends on sometimes if I'm looking at this if I look at the like the kind of the maturity the organization security wise I can tell if this is real or not for the most part right and then you kind of go on that so what you do is then go on here see if there's any vulnerabilities for this so then you're also going to look for any kind of missing security headers um or anything like that for like ones

that say like X powered by you know they're really proud of their their software so they'll let you know exactly what version they're running stuff like that which is cool but it's really cool for me too especially if there's a you know new new zero day or something right that just came out for it injection attacks those are fun right this is where the uh kind of the fun comes so this is like this happens when like the provider like the the API application itself doesn't perform input sanitization so it's going to accept kind of whatever you throw at it um it's not a good practice you know it's good especially if you're I would

recommend if you're running an API um and you accept input like if you accept like 10 different commands make sure those are only work right like mock out like URL encoding those characters you know other weird stuff that can happen but in this example here this one covers like SQL no SQL command injection XML injection all that kind of stuff but as we're looking at here this is an example uh we're gonna show this as a nosql example so I use this one a lot I'll try fake coupon codes actually I don't use this one at all I'm sorry I never use this one gosh I keep getting myself um now this is something you can try

right so uh so for this website you go use fake coupon code which is not real right we get a response of 500 internal server errors so that lets me know that's probably not a real coupon code right so maybe an example to bypass this oh hold on first I get all excited about the bypass right so so whenever you're looking at testing this you're going to look for parameters that can be tested or fuzzed right so anything that takes input like this one you want to test or fuzz this like you're talking about looking through some of the fuzz lists some of the words list and so a lot of the times some of the like the standard

web hacking stuff applies here wordless wise sometimes for injection stuff anyway so and then last thing you're going to do is you're going to test and fuzz them and then you've got a creepy little smiley face because that's what you want to do but this example here right so fake coupon code didn't work so now we're going to try to do not equals fake coupon code right so so yeah fake coupon code doesn't work that's fine so what if it doesn't what if it's not fake coupon code and this thing says yeah yeah you know yeah it's not fake coupon code but here's you know 75 off which is great I've got teenagers I'm married this is helpful for me right

I mean hypothetically right hypothetically of course but that's kind of how that works right and then if you wanted to scale this Beyond this uh maybe you could say like not equals fake coupon code and track 075 or just track 075 and see what else is out there obviously this is for coupon codes this is part of one of the environments I'll show you guys at the end you can kind of download and play with but I'm just kind of thinking how this could work outside of this right and how an attacker could utilize this improper asset assignment or management so sometimes we run into this like let's say we're supposed to be testing version

three we kind of ran into this earlier but it wasn't necessarily you know improper because version two may still be around but we're going to look for um maybe a Dev environment maybe an older version that doesn't have security controls on there so sometimes older versions over as time progresses if they find issues hopefully they get fixed right so version four may be more secure than version three that's what we're trying to do here we're trying to look for like in this instance version three maybe a retired version that shouldn't be around you know it's version two so you go in there and look from there version one version two version three Dev it's kind of all good examples to

use when looking for these kind of endpoints and these are more so for restful the API endpoints since there's so many of them uh but sometimes if you have different versions that you find you want to test those for like some of these missing security functionality like we talked about earlier with the um the MFA bypass right that worked on an older version also if in scope right so some some companies like if you get if you get tested if you get paid to test version three if you touch version two that's not a good thing right so obviously make sure that's that's covered and the last one is the the the coolest one of all

insufficient logging and monitoring who wants to talk about that right it's important it really is so this is something it's kind of hard to test from a from an attacker's standpoint so sometimes like I don't necessarily want in their log environment and they won't let me anyway you know but something we can look at um basically if it doesn't produce logs or like it's an insufficient logging level I could only logs critical you know alerts or whatever it finds or log messages do not include enough detail like hey a critical log was a critical alert happened what is it right sometimes it may not be there that would be vulnerable here so another thing too some people don't

think about is log Integrity so your logs are being kept things are looking okay but can someone edit those logs they can edit the logs then you can't trust your logs potentially right so something to look at logs are not continuously monitored I've actually seen a company only only only log things while their staff was in the office so it's like whatever on the weekend hey that stuff's that's somebody else's problem right and I get it listen I get it I've done blue team stuff I don't want to look at them either right especially if I come in with 5 000 alerts I'm like yeah nothing happened clear right so anyway API infrastructure is now continuously monitored to other

issues so maybe like the API endpoint maybe but like the server hosting it isn't um maybe the network isn't so things like that so another item too um whenever you're testing this you want to check if log review is part of the scope of the assessment sometimes it is sometimes it isn't sometimes they may just like you may ask for screenshots hey show me where this is logged right so you have something for your report something to show kind of they're doing their due diligence so that's something to keep in mind so last thing learning resources this is not a complete list of anything at all there are so many resources but obviously we talked about burp Suite we

talked about a wasp zap we talked about postmans those are good tools to look at I would highly recommend book wise the hacking API book by Corey ball um I think that came out this year it's been a long year but it's a good book another one this black hat graphql I have not read it yet it comes out in I think February but if you pre-order you can get like the digital Early Access I think through no starch press so online resources obviously we talked about a wasp and this awesome API security repo here and again these slides are on on my LinkedIn and Twitter so feel free to download them but it's got tons of more resources API appisec

University this is a kind of a recent launch by I don't know if it's by Corey Ball but I know he's associated with it and it's got cool stuff it's got actual video lab environments I think there's a certification you can get too if you're interested but some of the vulnerable VMS or platforms that we kind of use during this presentation one is crappy uh Pixie old Juice Shop vulnerable graphql application damn vulnerable graphql and continue on from there tons of resources to learn obviously try hack me hack the Box other things like that too but I would encourage if you want to get into this stuff you know get some of these resources start reading look

through these look through these attacks see how things work download some of these to your home lab or your machine maybe your neighbors your machine you know if they got open wi-fi just kidding and then kind of go from there right that's it foreign [Applause] [Music] thank you all right any questions yes what's the worst API I've seen I've seen some I swear I thought the client was testing to see if we do things right you know what I'm saying it's almost like if you download one of these vulnerable VMS you know or these vulnerable architectures it's like it's hitting off everyone it's like they ran it's like they put Juice Shop on their website

with actual products and I'm like what did we get are they paying us for this is this free practice right let's get some interns on this you know it's gonna do this up but I've seen that in real world I can't say what company obviously but like companies companies that you would think like oh dear God why you know it happens right yeah it's really hard too because you can't blame the company because sometimes they're so large right you have these all these teams all these different groups doing everything I understand that um but yeah it was interesting because I really asked my supervisor I'm like hey is this is this real like and they're

like oh yeah that's real I'm like okay okay well it's like so the write-up that's the worst part so finding cool stuff is great but the write-ups like now I got to write all this stuff up you know it's a it's like a hundred page or something it was a Monster yeah

good question so that question was if they give us kind of a a loose scope right or here's our domain see what we can find inside there that happens right so sometimes there's passive ways to do that right to look for things I'm more of an active approach so I like to use like I mentioned Kite Runner earlier it's a good tool to do that you can also kind of Brute Force some of the possible endpoints with like go Buster durbuster things like that too but sometimes it's using the website too if you use it with like there's a man in the middle web proxy you can use and it kind of runs in the background and you're surfing the

site and as you're doing that you can kind of see what URLs are being called in the background right so you can use that through like developer tools too like you know the Forbidden hacker tool F12 you know you can do that and kind of look at your console or network connections and see what apis are being called out and so what we'll do is write those down and we always like to verify too because you know how it goes right especially some some companies like this group's paying for this so we can't really you know like if we find something that may not be in that group they don't want us to do maybe out of

scope but I always like to verify but good question yeah

yeah so evaluating logging and monitoring that's usually what we do right so if we have access sometimes depends on the company they may give us access like if they're in a cloud provider they may give us read-only access to where their logs are stored right if they storm an S3 bucket or something right or something like that sometimes we'll just say since we don't access show us what you're doing and it's just we'll document that I usually document that accordingly because I want to trust them but it's trust but verify right it's a big deal so that's what we'll do we'll say like the client provided us this showing their logging environment in these settings who knows if it's I don't

know if it's the actual environment you know I can't see that right but I'm taking the word and hopefully you know that's what we're looking for do you have a question yeah oh so for reports I like to not do reports now actually I don't mind reporting I I report as I hack stuff because the one thing I think I hate about myself is when I didn't do that right so I come down to the end of Engagement I'm like oh yeah the report and then I'm like oh God I haven't done anything I'm looking at this blank word doc right so I've used different tools I've used like Plex track right I've used uh dratus method

just good old-fashioned word docs it just depends some clients too they may have specific ways right like templates they kind of want us to use it depends because some of them may ingest that into their vulnerability Management Solutions stuff like that so good question though

yes so the question was if we see that every uh like a query is going to the logs we see that we can report on that yeah oh yeah we can sometimes there's certain things too um kind of mainly with it kind of Blends into web app stuff too right but if if a client is I have seen let's say I have seen alert I've seen items pop up in like a Sim console like a Management console right like a log console um from what we've inputted into a header right so if you put like maybe a cross-site scripting payload inside of a you know something that's going to be logged and you log into the logging

solution boom you know you pop up we may or may not have gotten credentials that way before too may or may not can't can't clarify yeah

so if we're enforcing content right I I like General errors it's like the same thing with login for me right like if I'm going to try to log into a website and uh and I try to use a password or username that I've gathered from somebody and the like it says oh that account exists but the wrong password that's that's too much information for me right that may fall into like verbose error messages for me but I'll let you know obviously it's a developer decision some places are okay with that it just depends good question any other questions yes are you going to test my hearing hold on

have I ever seen an API that black holes my traffic once I start poking at it yes yeah mostly it's like a waft or something you know on the front of it but our thing is whenever I want to test something if I'm going to test like if they know we're testing right it's not some like you know kind of red team covert testing um I want to be able to get past that firewall right because there's always going to be like bypass for firewall there's always a possibility right or maybe from a different Vector maybe someone's inside they're able to attack this and those you know they're not going through the firewall right so normally whenever

we're trying to do API testing I want to test as close to that API as I can but it's a good question it's valid some some clients will have us do that just to prove that it's working sometimes it comes back in the form like the rate limiting like if we're throwing too much at it or if we start throwing two different types of payloads at it I mean um Blacklist this for a while or Blacklist us good question

yep yeah no that's they they want to so that's the that's the kicker it's always like a what do you want out of this right some companies will want kind of like a a closed box approach right where they don't give us any data that's more realistic possibly like to an attacker but for me I'm more the more information you give me the more information I can help you with right so let's say an attacker attacker has a lot more time to work on this company than I do right because they're paying me for a set amount of time if I hate this company I'm gonna do it forever right or whatever right or you know malicious

actor right so it's something to keep in mind but I'm I'm more of a fan of kind of the more information we can get the more we can help you out but some companies don't care about that and it's fine I mean we can do whatever but we'll also usually report on that too or notate that you know that we couldn't provide the or we couldn't gather this information you know because of these reasons you know but it's good to know and we have clients that do both so good question any other ones food trucks are almost here I think okay Hey listen if anybody does have any questions feel free to reach out to me

like I said the slides are available um because sometimes if you're new to this stuff especially it's like drinking from a like a fire hose right so feel free to download them if you have any questions feel free to reach out okay thank you