REST API Pentester's perspective
9 likes4,816 views
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: how to find hidden API interfaces ways to detect available methods and parameters fuzzing and pentesting techniques for API calls typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API
Ad
More Related Content
What's hot (20)
Similar to REST API Pentester's perspective (20)
Ad
More from SecuRing (20)
Ad
Recently uploaded (20)
REST API Pentester's perspective
- 3. www.securing.pl KA-BOOM „Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on: https://www.facebook.com/login/identify?ctx=recover&lwv=110 Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.”
- 4. www.securing.pl KA-BOOM „Then i looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints.”
- 9. www.securing.pl REST API • Is everywhere (web&mobile) • Is build on top of existing applications • More and more companies allow to use it’s API • Applications are more interconnected • Microservices
- 10. www.securing.pl REST API https://www.mobapi.com/history-of-rest-apis/
- 11. www.securing.pl • Senior IT Security Specialist, SecuRing • Web & mobile application security • OWASP Poland member • Ex developer • Bug hunter Who am I
- 12. www.securing.pl • REST API 101 • Finding endpoints • Finding docs • Finding sample calls • Finding keys • 2 more examples • Q&A Agenda
- 14. www.securing.pl REST API 101 • REST – representational state transfer • Data usually is sent as JSON • HTTP methods have a meaning (usually): • GET - list (collection), retrieve data (element) • PUT – replace (all data is changed) • PATCH – update • POST – create (new element) • DELETE
- 16. www.securing.pl • Get endpoints • Get docs • Get keys/credentials • Get sample calls !! REST API Pentest
- 17. www.securing.pl • Sometimes no known endpoints • Sometimes no docs • Sometimes no keys/credentials • Sometimes no sample calls !! REST API Bug bounty
- 19. www.securing.pl • / • /api/ • /v1/ • /v1.0/ • /v1.1/ • /api/v1/ • /api/v2 Finding endpoints
- 20. www.securing.pl • / • /api/ • /v1/ • /v1.0/ • /v1.1/ • /api/v1/ • /api/v2 Finding endpoints
- 21. www.securing.pl • / • /api/ • /v1/ • /v1.0/ • /v1.1/ • /api/v1/ • /api/v2 Finding endpoints
- 22. www.securing.pl • /ping • /health • /status • … • Dictionaries for directories and filenames will help Finding endpoints
- 23. www.securing.pl • /ping • /health • /status • … • Dictionaries for directories and filenames will help Finding endpoints
- 24. www.securing.pl • /ping • /health • /status • … • Dictionaries for directories and filenames will help Finding endpoints
- 25. www.securing.pl • /ping • /health • /status • … • Dictionaries for directories and filenames will help Finding endpoints
- 28. www.securing.pl • Interesting endpoints: • /actuator • /health • /trace • /logfile • /metrics • /heapdump (Spring MVC) Spring Boot Actuator
- 29. www.securing.pl • Interesting endpoints: • /actuator • /health • /trace • /logfile • /metrics • /heapdump (Spring MVC) Spring Boot Actuator
- 30. www.securing.pl • Interesting endpoints: • /actuator • /health • /trace • /logfile • /metrics • /heapdump (Spring MVC) Spring Boot Actuator
- 34. www.securing.pl • /api-docs • /application.wadl • /doc • /docs • /swagger-ui.html • /swagger.json Finding docs:
- 35. www.securing.pl • /api-docs • /application.wadl • /doc • /docs • /swagger-ui.html • /swagger.json Finding docs:
- 37. www.securing.pl • /api-docs • /application.wadl • /doc • /docs • /swagger-ui.html • /swagger.json Finding docs:
- 38. www.securing.pl • /api-docs • /application.wadl • /doc • /docs • /swagger-ui.html • /swagger.json Finding docs:
- 41. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 42. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 43. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 44. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 45. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 46. www.securing.pl • Still no docs? • Error messages to the rescue! Finding sample calls
- 47. www.securing.pl • Still no docs? • Error messages to the rescue! • Brute force parameter names! Finding sample calls
- 48. www.securing.pl • Still no docs? • Error messages to the rescue! • Brute force parameter names! • Analyze JS code (see JS-Scan) • Dissect mobile app ( Apk-Scan for Android apps hadrcoded URL’s) Finding sample calls
- 50. www.securing.pl Finding keys • Check mobile application • Check GitHub (truffleHog to the rescue): • Scan public repos of a company • Scan public repos of a company devs
- 52. www.securing.pl Finding keys • Check mobile application • Check GitHub (truffleHog to the rescue): • Scan public repos of a company • Scan public repos of a company devs
- 53. www.securing.pl Finding keys • Check mobile application • Check GitHub (truffleHog to the rescue): • Scan public repos of a company • Scan public repos of a company devs
- 57. www.securing.pl „Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.” #1 Jolokia
- 58. www.securing.pl „Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.” https://example.com/jolokia/write/Tomcat:port=19880,type=Connector/xp oweredBy/true #1 Jolokia
- 59. www.securing.pl „Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It is an agent based approach with support for many platforms. In addition to basic JMX operations it enhances JMX remoting with unique features like bulk requests and fine grained security policies.” https://example.com/jolokia/write/Tomcat:port=19880,type=Connector/xp oweredBy/true X-Powered-By:Servlet/3.1 JSP/2.3 (Apache Tomcat/8.0.20 Java/Oracle Corporation/1.8.0_60-b27) #1 Jolokia
- 61. www.securing.pl #2 REST API wrongly placed
- 62. www.securing.pl #2 REST API wrongly placed • A form
- 63. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA
- 64. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA • Secured (no way to brute force ID)
- 65. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA • Secured (no way to brute force ID) • A mobile app with the same feature
- 66. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA • Secured (no way to brute force ID) • A mobile app with the same feature • No CAPTCHA
- 67. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA • Secured (no way to brute force ID) • A mobile app with the same feature • No CAPTCHA • No rate limiting
- 68. www.securing.pl #2 REST API wrongly placed • A form • Putting ID and solving CAPTCHA • Secured (no way to brute force ID) • A mobile app with the same feature • No CAPTCHA • No rate limiting • Brute force &profit report to client !
- 69. www.securing.pl Summary • Find endpoints • Find docs • Find sample calls • Find keys • Fuzz
- 71. www.securing.pl • SOAP UI https://www.soapui.org/ • Postman https://www.getpostman.com/ • Fuzzapi https://github.com/Fuzzapi/fuzzapi • Swagger Parser (Burp Suite plugin) • TruffleHog https://github.com/dxa4481/truffleHog • JS-Scan https://github.com/zseano/JS-Scan • Apk – Scan https://apkscan.nviso.be/ Tools
- 72. www.securing.pl That’s all folks [email protected] / @molejarka