How Hackers Exploit API Endpoints Using Documentation?
Summary
TLDRThis video explores how attackers can exploit an API by simply analyzing its documentation. Using a lab demonstration, the presenter shows how to access API endpoints and delete a user (Carlos) without proper authorization. The key takeaway is the importance of securing APIs with proper access control, as the absence of authentication checks allows attackers to perform unauthorized actions. The video also highlights how API documentation, while necessary, can expose vulnerabilities if not handled securely. The demonstration serves as a lesson for companies to implement strict security measures for their APIs.
Takeaways
- 🔓 API documentation can be exploited by attackers to understand vulnerabilities and potential attack paths.
- 👨💻 In the demonstration, the attacker’s goal was to delete a specific user account, highlighting API exploitation methods.
- 🛠 The attacker uses Burp Suite to capture and analyze API requests and endpoints.
- 🔐 API endpoints may expose user details, like usernames, which can be manipulated for unauthorized actions.
- 📜 The API documentation, once found, provides crucial information on available API endpoints and methods (GET, DELETE, PATCH).
- ⚠️ Lack of proper authorization checks allows attackers to exploit endpoints, leading to actions like unauthorized user deletion.
- 📂 Fuzzing techniques can be used to discover hidden endpoints or documentation paths on a website.
- 🗑 The attacker successfully deletes the user ‘Carlos’ using a DELETE request without any access control mechanism.
- 🔑 Proper authentication, such as token-based authorization, can prevent such API exploits by ensuring user identity verification.
- 🚫 API documentation should be restricted to authorized users, and sensitive endpoints (like admin actions) should not be exposed to normal users.
Q & A
What is the main concern when an attacker finds the API documentation of a property?
-The main concern is that an attacker can gain a comprehensive understanding of how the API works and how it can be exploited, similar to how someone with malicious intent could exploit knowledge of a property's blueprint.
What is the goal of the lab demonstrated in the video?
-The goal of the lab is to perform an unauthorized action, specifically to delete the user 'Carlos', by exploiting the API.
How does the video demonstrate the process of exploiting an API?
-The video demonstrates exploiting an API by accessing a lab, using Burp Suite to capture endpoints, logging in with provided credentials, analyzing HTTP history to find API endpoints, and then fuzzing to find potential paths for documentation.
What tool is used in the video to capture and analyze API endpoints?
-Burp Suite is used to capture and analyze API endpoints in the video.
What is the significance of the 'update email' functionality in the lab?
-The 'update email' functionality is significant because it reveals an API endpoint that can be used to update a user's email, which is a potential vulnerability that can be exploited.
How does the video identify that the API is identifying users through their usernames?
-The video identifies that the API is identifying users through their usernames by observing the path and parameters of the 'update email' endpoint, which includes the username as a string.
What is fuzzing in the context of API security?
-Fuzzing in the context of API security is a technique where random or malformed data is sent to an API endpoint to see how it responds, which can help identify vulnerabilities.
How does the video find the API documentation?
-The video finds the API documentation by guessing possible paths for documentation on a website and then manually testing them until the documentation is found.
What is the importance of the 'delete' endpoint found in the API documentation?
-The 'delete' endpoint is important because it allows for the deletion of a user, which is the goal of the lab. It also highlights a lack of access control, as it can be exploited to delete any user.
Why was the video able to delete the user 'Carlos' without authorization?
-The video was able to delete the user 'Carlos' without authorization because the API did not perform proper authorization checks, such as checking for an authentication token, to ensure that the request was made by an authorized user.
What measures can be taken to prevent unauthorized access to API documentation?
-To prevent unauthorized access to API documentation, companies can restrict access by requiring authentication or using meta tags to prevent web crawlers from following the links.
Outlines
🔐 API Documentation Exploitation: Understanding Security Risks
The video introduces a scenario where an attacker gains access to a blueprint or API documentation, similar to finding a property blueprint to break into a house. The attacker can use this knowledge to exploit API vulnerabilities. The speaker uses a lab setup to demonstrate how an attacker could exploit an API based on its documentation. The objective is to delete a user named 'Carlos' by performing an unauthorized action, which is shown through the use of Burp Suite to capture endpoints, analyze login and email update functionality, and uncover API paths.
🛠️ Exploiting API Endpoints: Unauthorized Actions and Access Control Flaws
In this section, the video explains the process of identifying vulnerable API endpoints through an exploration of an API documentation. The lab demonstration shows how the username parameter is used for actions like email updates. By fuzzing API paths and finding the API documentation, the attacker discovers endpoints like GET, DELETE, and PATCH methods. The DELETE method is tested by sending a request to delete a user named 'Carlos,' and due to the lack of access control checks, the action succeeds, illustrating the security flaw of insufficient authentication mechanisms.
Mindmap
Keywords
💡API Documentation
💡Endpoints
💡Unauthorized Action
💡Burp Suite
💡Access Control
💡Fuzzing
💡Patch Method
💡Authentication Token
💡REST API
💡Security Vulnerability
Highlights
Understanding how attackers can exploit an API by simply reviewing its documentation.
Demonstration of using Burp Suite to capture and analyze API endpoints for potential vulnerabilities.
The goal of the lab exercise is to delete the user 'Carlos' by exploiting the API.
Capturing HTTP history to identify API endpoints used for logging in and updating user information.
Finding the API endpoint responsible for updating email using the PATCH method.
Observation that the API identifies users through their username in the request path.
Fuzzing different API paths to discover potential vulnerabilities in the API endpoint structure.
Using a word list to guess common API documentation paths on websites to find API documentation.
Successfully locating the API documentation on the web and identifying the available endpoints.
Discovering the DELETE method in the API, which can delete users using their username as a parameter.
Sending a DELETE request to remove user 'Carlos' without proper access control checks.
Identifying the lack of authorization in the API, allowing unauthorized users to perform critical actions.
Recommendation to secure API endpoints by adding authorization checks and access control.
Warning that sensitive API documentation should be restricted to authorized users to prevent exploitation.
Conclusion that API vulnerabilities often arise due to improper security measures like missing authentication tokens.
Transcripts
imagine someone with malicious intent
finding a blueprint of a property you
own now they know all the possible paths
to break into the property and discover
the secret places similarly if the
attacker finds the API documentation
they can gain a comprehensive
understanding of how the API works and
how it can be exploited and that's what
we're going to look in this video like
how an attacker can exploit API just by
looking at the API
documentation for demonstration purpose
I'll be using this lab from both suger
that is exploiting an API and B using
documentation so the goal of this lab is
to delete the user Carlos so we need to
perform an unauthorized action let's see
how we can do that so first we need to
access the lab I'm going to open this in
a new tab and also let's turn on the
burp Suite so we can capture all those
end points and analyze
it here we have the
lab okay let's start it
[Music]
up okay burp is on I'm going to turn on
the proxy now and we have to log in here
we were provided credentials that is
Wier and Peter so I'm going to type it
here real
[Music]
quick don't save and we are logged in
this is the email address we are
provided with let's analyze the
endpoints in HTTP history so here we
have the login
endpoint where we provided the username
and password and then we have my
account we don't seem to see any API
endpoints though let's go to the
tget and it doesn't have any
either so so let's explore a little more
we can see there's another functionality
here that is update email so let's try
to capture the request and see what it
looks
like let's just say
Peter normal
user. okay
date and the email has been updated now
let's check the proxy history
again and here we have this endp point
and now we can see the API endp Point
API user winner so the sgtp method is
patch and we can see that it is sending
the email that we provided the new email
in in the Json
body and in the response we can see that
the email has been updated thing that we
can notice is that it's probably
identifying user through their username
I guess this is the username name that
changes for every user when they try to
update their email also we can notice
the path so there are multiple ways we
can fuzz for it for okay for example let
me open my
Notepad and
here we can fuzz like this so first
possibility is API user then fuzz if you
know the possible username you can
probably do it
second possibility is API fuzz maybe you
can find some more
endpoints okay so as we know the goal of
this lab is to find the documentation
first
right so first we have to think what are
the possible paths for documentation in
a
website if you are not sure you can ask
charity here I'm going to type give me a
word
list of all the
possible API
documentation path and uh
[Music]
website and here we can see some
possible bads like these API SL dogs
there are already less of them you can
put them in a word list and then try to
fuz for it or you can also do it
manually since there are very less I'm
going to try the first
one
okay okay and it worked we found the API
documentation here and here we can see
that this is arrest API which was
actually
obvious so there are three endpoints
here with different SJP methods that is
get delete and Patch the one we saw was
this patch one when we tried to update
the email which took the username here
as string and in the parameters it took
the
email okay so there is another endpoint
that is
delete and it also takes the
[Music]
username we already analyzed this much
right when we saw our username winner it
was obvious that it was identifying the
user according to their
username
so as we know the goal of this lab is to
delete the user Carlos I'm going to send
this request to
repeater
and type Carlos
here and make this
delete and remove this Jason
body send this
request and it says user deleted so
because of the lack of Access Control we
were able to perform this action because
the backend is not checking if the user
is who they claim to be it's not
checking if Carlos is making this
request because there is no
authentication token or beer token to
identify
[Music]
it and if you go back we can see that
the lab is
solved now if you are a company that
provides an API as service to users and
therefore must provide API documentation
then it's totally fine you can do that
the problem arises only when the API
isn't secured and doesn't perform
authorization checks properly like we
saw in the previous scenario also if
there are some inputs that you want to
hide from normal users such as endpoints
for administrator then you can restrict
access to the API documentation
specifically for admins by providing
authentication or by using some meta
tags so it doesn't get followed by the
web crawlers okay that's it for this
video I hope you enjoyed watching it and
I'll see you in the next
[Music]
one
関連動画をさらに表示
My Favorite API Hacking Vulnerabilities & Tips
Adding JWT Authentication & Authorization in ASP.NET Core
2024 Guide: Hacking APIs
ReactJS Music Player #4: Integrating the Spotify Api in our React App
The Logging And Monitoring Challenge (with Anuprita Patankar)
API designing: How to Design Best APIs | Best Practices | #api #backenddevelopment
5.0 / 5 (0 votes)