My Favorite API Hacking Vulnerabilities & Tips
Summary
TLDRAPIs are crucial in web security, and understanding how to identify vulnerabilities is essential for bug bounty hunters, pentesters, and security enthusiasts. The video highlights key API vulnerabilities, including authentication flaws, authorization issues, and improper content type handling. It provides practical tips for finding leaked credentials on platforms like GitHub and Postman, and emphasizes the importance of thorough testing for privilege escalation and unauthenticated access. The video also touches on advanced techniques like using X-Forwarded-For headers to bypass authentication and the significance of correctly set content types in preventing XSS attacks.
Takeaways
- 😀 APIs are a common target for finding vulnerabilities, important for bug bounty hunters, pentesters, and web security enthusiasts.
- 📚 An update to the Udemy course on web security is available, with new content on XSS, CSP, CSRF, and more.
- 🔍 The speaker emphasizes the importance of looking beyond the generic OWASP Top 10 vulnerabilities when examining APIs.
- 🔑 Authentication vulnerabilities are often overlooked, but can be found by searching for leaked credentials on GitHub or Postman.
- 🔍 Using tools like 'porsch pirate' on Postman can help uncover API specs with hardcoded keys, leading to potential vulnerabilities.
- 🚫 Authentication can sometimes be bypassed using 'X-Forwarded-For' headers, which can reveal different application behaviors.
- 👥 Authorization vulnerabilities involve testing for access to endpoints that should be restricted, with severity levels varying based on who can access them.
- 🔄 Privilege escalation testing involves comparing the functionality accessible to different user levels within an application.
- 📝 Documentation is key for understanding the correct access controls for different user types in applications.
- 🛑 Misconfigurations in content type handling can lead to XSS vulnerabilities if HTML is returned within a JSON response.
- 🔎 Fuzzing API endpoints for parameters that might return raw input can reveal overlooked vulnerabilities.
Q & A
Why is it important to understand API vulnerabilities?
-Understanding API vulnerabilities is crucial for bug bounty hunters, pentesters, and web security enthusiasts because APIs are ubiquitous and can have many hidden bugs. Knowing how to approach and find these vulnerabilities allows for more comprehensive security assessments.
What is the significance of the OWASP Top 10 in the context of APIs?
-The OWASP Top 10 is significant because it highlights common vulnerabilities such as XSS, IDORs, and SSRF that are not only relevant to traditional web applications but also applicable to APIs. This helps security professionals to know which vulnerabilities to look for in API testing.
Why do authentication vulnerabilities pose a challenge for many hackers?
-Authentication vulnerabilities pose a challenge because they often involve finding ways to bypass or manipulate the login process, which can require advanced techniques and a thorough understanding of the system. Many hackers may be intimidated by the need for credentials or may not know where to look for them.
What are some common methods to find API credentials?
-Common methods to find API credentials include searching GitHub repositories, examining Postman collections, and looking for leaked credentials or specific header names and cookie values that might contain sensitive information.
How can the X-Forwarded-For header be used to bypass authentication?
-The X-Forwarded-For header can be used to bypass authentication by spoofing the IP address to match those whitelisted by the application, such as localhost or a specific VPN range. This can trick the application into granting access based on the perceived IP address.
What is the difference between authentication and authorization in API security?
-Authentication is the process of verifying the identity of a user, typically through login credentials. Authorization, on the other hand, determines what resources a user is allowed to access after they have been authenticated.
What are some common authorization vulnerabilities?
-Common authorization vulnerabilities include unauthenticated paths that reveal sensitive information and improper privilege escalation, where lower-privileged users gain access to functions or data meant for higher-privileged users.
Why is testing for different user privilege levels important?
-Testing for different user privilege levels is important because it helps identify improper access controls. By ensuring that only authorized users can perform certain actions, you can prevent lower-privileged users from accessing sensitive functionalities or data.
How can content type misconfigurations lead to vulnerabilities in APIs?
-Content type misconfigurations can lead to vulnerabilities if an API returns HTML content within a JSON response, potentially allowing stored XSS attacks to succeed if the HTML content is rendered by the browser.
What is a useful tool mentioned for finding API credentials and how does it work?
-Postman, along with a tool like 'Porsch Pirate,' is mentioned as useful for finding API credentials. These tools can search for company names and related assets, potentially revealing hardcoded API keys in publicly available Postman collections.
Outlines
🔍 Exploring API Vulnerabilities and Udemy Course Update
The speaker begins by emphasizing the importance of understanding APIs and their vulnerabilities for bug bounty hunters, pentesters, and web security enthusiasts. They announce an update to their Udemy course, which now includes new content on various web security topics such as XSS, CSP, CSRF, and more. The course is available for free to existing Udmi members and can be accessed at a discount for new subscribers. The speaker then shifts focus to discussing common vulnerabilities found in APIs, such as XSS, IDORs, and SSRF, which are also applicable to traditional applications. They aim to provide a deeper approach to API hacking beyond the generic OWASP Top 10 vulnerabilities.
🔑 Authentication Flaws and Bypass Techniques in APIs
The speaker delves into authentication vulnerabilities within APIs, which often deter hackers due to the requirement of credentials. They suggest using GitHub to search for leaked credentials by inputting the API's URL and looking for any exposed keys or unique cookie values. Additionally, the speaker introduces the use of Postman and tools like 'porsch pirate' to find hardcoded API keys in public API specifications. They also discuss the potential of using 'X-Forwarded-For' headers to bypass authentication by mimicking trusted IP addresses. The speaker shares a personal anecdote where this technique led to the discovery of additional vulnerable endpoints.
🛡️ Authorization Issues and Testing for Privilege Escalation
The speaker explains the difference between authentication and authorization, focusing on the latter. They discuss finding unauthorized access points (unauthenticated APIs) that may leak sensitive information or require elevated access. The speaker advises removing authentication tokens to test if an endpoint can be accessed without proper authorization, a method that has helped them escalate the severity of vulnerabilities. They also suggest testing privilege escalation across different user levels within an application, such as comparing the access rights of an admin, a manager, and a regular user, to uncover misconfigurations in access controls.
🎯 Hunting for Misconfigured Content Types and XSS Opportunities
The speaker highlights the often-overlooked vulnerability of misconfigured content types in API responses. They point out that while JSON is the expected format, APIs sometimes return HTML content, which can lead to XSS attacks if not handled properly. The speaker encourages finding API endpoints that return HTML content types and then determining how to inject user input into the response while the content type is set to HTML. They describe this as a fun and rewarding challenge that has led to the discovery of significant vulnerabilities, often missed by others due to a lack of attention to detail.
Mindmap
Keywords
💡API
💡Vulnerabilities
💡Bug Bounty Hunter
💡Web Security Enthusiast
💡OAS Top 10
💡Authentication
💡XSS
💡CSRF
💡Authorization
💡Privilege Escalation
💡Content-Type
Highlights
APIs are everywhere and understanding how to approach them is crucial for finding vulnerabilities.
New content has been added to the Udemy course, including updates on XSS, CSP, CSRF, and more.
APIs can have the same vulnerabilities as traditional applications, such as XSS and IDORs.
Authentication vulnerabilities in APIs can be discovered by searching GitHub for leaked credentials.
Unique cookie values or header names can be indicators of potential vulnerabilities.
Postman is an underutilized resource for finding API credentials and specifications.
X-Forwarded-For headers can be used to bypass authentication mechanisms.
Authorization vulnerabilities involve testing for unauthenticated access to sensitive endpoints.
Privilege escalation testing involves checking access levels across different user types.
Content type vulnerabilities in APIs can occur when HTML is returned within a JSON response.
Fuzzing API endpoints can reveal parameters that lead to error responses with user input.
Top hackers pay attention to small details such as content types to find vulnerabilities.
The video offers a deeper approach to hacking APIs beyond traditional web vulnerabilities.
The importance of not being intimidated by authentication requirements in APIs.
The potential for increased bounty rewards by escalating access through authorization vulnerabilities.
The call to action for viewers to request more in-depth videos on path traversal or GraphQL.
The encouragement for viewers to like, subscribe, and engage with the content for future videos.
Transcripts
apis are everywhere and if you don't
know how to approach an API and find
vulnerabilities then you are definitely
missing out in a lot of bugs whether
you're bug bounty hunter pentester or
just a web security Enthusiast before we
jump into the video though I'm going to
quickly do a Shameless plug a lot of you
guys have been asking for an update to
the udmi course it is here if you have
udmi access already it is there you can
go get it for free it's a part of what
you have purchased for in the past if
you don't have access you want to get it
there's a ton of new content on xss CSP
client side vones csrf you name it it is
also going to be updated three more
times in the next 6 months all you have
to do is click on the link down in the
description or the pin comments and get
it for half off as of today all right
now let's jump into the video well in
this video I want to talk about some of
my favorite vulnerabilities that I look
for in an API how to look for him how to
approach him and why are these the ones
that I go through starting with your
generic OAS top 10 because I want to get
this out of the way but the generic o
top 10 is the vulnerabilities like your
xss your idors you want to look for your
ssrf any abilities that you would find
in a traditional application you also
want to look for those in an API because
the API is the backend of this system so
any vulnerabilities that is covered in
an OAS top 10 or any version of OAS top
10 then it is kind of also applicable to
uh an API I don't want to cover this
because I feel like there's a lot of
content around looking for these
traditional web WS on an API so I want
to kind of take a deeper approach to
hacking API and kind of show you what is
the vulnerability that I look for so I
wanted to kind of get that out of the
way but now let's talk about the
additional vulnerabilities starting with
looking at authentication
vulnerabilities because authentication
is a thing that I think scares off a lot
of hackers when it comes down to looking
for vulnerabilities and by that I mean a
lot of times hackers find an API where
they can't authenticate to maybe it
requires some credentials and a lot of
people actually don't look for them and
there's a lot of ways you can actually
do that the obvious approach to looking
for credentials for an API is just
obviously going on GitHub doing the
generic putting the URL of that website
or that specific API into the search and
looking and seeing if anything has been
leaked but that only works if that
specific domain or subdomain has been
mentioned in a repo and if it has then
you can look for this keys and pull them
out and use them but also the other
thing that you can do is looking at
specific header names or cookie value so
if a cookie value has something very
unique to this application or to this
website or this company also you want to
look for that and see if you can't find
anything but I feel like GitHub is been
the easiest to clean up a lot of
companies are more aware of leaking
credentials on GitHub and a lot of
hackers are looking for it but I think
something that's not fully covered yet
is Postman actually you can go on
Postman and use something like porsch
pirate I think that's what the tool is
called it's been an amazing one that
it's in my toolkit that I use but you
can just type in a search for a company
name and relate it to this specific
asset but this is just also very noisy
so you have to do a lot of manual work
or just have some scripts or wrappers
around this tool that's going to clean
it up and give you better results but
Postman is a really good place because a
lot of times people just dump their API
specs into a file and then they just
post it on post man.com and they forget
that their keys may have been hardcoded
this has got me some really cool
bounties and even if I haven't gotten
any bounties then it's giving me access
to a lot of cool assets that I've played
around with and it's generated leads for
me so keep that in mind that is one
approach you can look at Postman GitHub
past spins go on Google and do some
Google dking but always remember that
there's always a way to get into these
applications whether it's self-
registration or looking for credentials
so if you see something that requires
you to be authenticated don't get scared
find a way to get authenticated the
second one and it's kind of hand inand
with this specific vulnerability type is
using X forwarded like headers to bypass
authentication because sometimes a lot
of these applications are whitelisting
or allowing specific IP addresses
whether that's a local host or whether
is the range of the VPN that this
company uses so if you can find a way of
finding out what is the IP range that
they use or you can Brute Force for it
or just maybe put Local Host in there
this will get you past the first authen
iation mechanism and then you have to
battle the whatever is behind that
specific authentication method so one of
the examples that I have recently in my
Discord some of the hackers that I work
with found this asset on a bug Bounty
program and not I was authenticated and
somehow somebody put an X forwarded for
header on there and it's put out a
different error message than the one
that we were seeing previously and by
seeing the different behavior on the
application based on this specific
Heather then we were able to log in and
feed that application into FFF and then
find additional endpoints points that
were vulnerable so that's one example of
it that you can do so maybe your
approach to getting authenticated isn't
to find credentials or to sign up and
get a actual uh cookie but you can find
other headers including x44 and
everything else that's similar to it
that will list down below that you can
use to bypass authentication so far we
have taken care of authentication and
now we need to talk about authorization
there's a difference between the two
authentication is how you log in how you
get past the login on this application
versus authorization to me is being
authorized to use a specific resource
with authorization there's two different
vulnerability types that come in the
first one just being looking for onof
pads which means unauthenticated pads
you can access that may have juicing
information and require to be authorized
or have some sort of a leverage access
to be able to access that so for example
think about a endpoint that may be maybe
a list of users that this application is
supposed to have access to but somehow
or just by directly going to that list
you can get a list of that user for that
application you want to look at that
because the difference between reporting
that vulnerability as a hey information
disclosure it leaks a list of users
versus hey information disclosure it
leaks the list of users to an onof user
those two have different severity levels
and and obviously you want to make sure
you look out for those so anytime you
find a vul ability or you find an
endpoint that is Juicy that is
interesting it doesn't have to be a get
request it could actually be a post you
can just remove the cookie or you can
remove your o token or the beer token
whatever it is that you're authorizing
yourself within the application and see
if you can access that inpoint without
the authorization header that has been a
good place for me to double my bounties
or actually escalate my bounties so keep
that in mind but there's also another
approach to authorization the second
layer of authorization isn't applicable
to a lot of apis but my favorite thing
to do with authorization vulnerabilities
is testing privilege escalation with
different users so this is kind of
similar to the last one but it requires
this to have different user types so for
example think of this as an HR program
this HR program or application allows
you to have maybe a member a manager and
maybe some HR Manager for example you
want to be able to test out every single
functionality within each of those
different user levels and see which ones
you have access to which ones you can
use and which ones you cannot use a lot
of times I feel like a lot of
organizations introduce new
functionalities into these applications
and they completely forget to look for
the different access controls or
different access levels that these users
have actually Archangel Douglas day has
a really good talk from the hamcon last
year that he did on this I'll link it
down below take a look at it but the
approach to this is you make a list of
all the different functionalities
starting with the admin the highest
level of access that you have and then
you look at the different documentation
and you mark which ones are supposed to
have access to what so for example if
you have something like submit an
expense you want to make sure that you
know an admin can submit an expense and
a user can insult on a manager so those
are applicable to to three users but
maybe the different functionality that
isn't meant to be for all three is
adding a user to the organization maybe
the admin is the only one that can do
that not the manager and not the
different users that you have but you
want to test out that functionality with
the other two lower level privileges so
that is a really good place it's very
very manual and it's a lot of like work
to do but a lot of people skip it
because it's it's a lot of Labor it's a
lot of time but that's why you find
better bugs if you spend the time to
actually understand the application and
understand the logic of this application
in order to look for vulnerabilities and
I kept the best for Last by keeping the
xss or maybe not even xss per se but
looking at the content type of these
apis for last because that is also one
of the most underrated vulnerability
types that a lot of people miss and
that's because when you're interacting
with an API a lot of times you expect
the API to return a value in Json format
and if you're not familiar with this any
API that comes back it's supposed to
give you a text it's supposed to be Json
and if you have HTML within a Json
content type then that HTML is not going
to render but what I've noticed a lot of
times is companies actually mess this up
and they return an HTML within that
response then the HTML will render and
if you put cross scripting there it
could fire the challenge here is to find
a way for your HTML to get in the
response sometimes you can't do that
because of the uh nature of the
application but that is what makes it
really really fun so the first thing you
want to do here is you want to find a
API end point that returns as the
content type set to HTML then you want
to find how can I get my input whether
it's my path maybe it's something that I
put in the post data or in the get
request how can I get this input to
reflect in the response while the
content type is set to HTML those make
for some really really cool vs and a lot
of cool challenges and then fuzzing that
endpoint and seeing if there are any
parameters or any way of getting an
error that's going to just return
whatever you have given it in the
response they've been really really cool
I found a ton of those in the past
they're still very very valid but I feel
like a lot of hackers missed that
because you have to pay attention to the
content t and a lot of time people don't
look at it in that's why a lot of the
top hackers and a lot of the better
hackers
when because they are paying attention
to small details but that's pretty much
all the ru and ability that I think I
want to cover for this episode there is
one more there is path traversal if you
want to see a full video on path
traversal or graphql next drop me a
comment maybe I'll do one or the other
maybe I do both that depends on how many
comments we get so drop me a comment let
me know which one you want to see next
and if you haven't already do me a favor
hit that like hit that subscribe button
and becomeing that homie and I will see
you all in the next video peace
Weitere ähnliche Videos ansehen
5.0 / 5 (0 votes)