How Hackers Exploit API Endpoints Using Documentation?

Medusa
10 Dec 202307:13

Summary

TLDRThis video explores how attackers can exploit an API by simply analyzing its documentation. Using a lab demonstration, the presenter shows how to access API endpoints and delete a user (Carlos) without proper authorization. The key takeaway is the importance of securing APIs with proper access control, as the absence of authentication checks allows attackers to perform unauthorized actions. The video also highlights how API documentation, while necessary, can expose vulnerabilities if not handled securely. The demonstration serves as a lesson for companies to implement strict security measures for their APIs.

Takeaways

  • 🔓 API documentation can be exploited by attackers to understand vulnerabilities and potential attack paths.
  • 👨‍💻 In the demonstration, the attacker’s goal was to delete a specific user account, highlighting API exploitation methods.
  • 🛠 The attacker uses Burp Suite to capture and analyze API requests and endpoints.
  • 🔐 API endpoints may expose user details, like usernames, which can be manipulated for unauthorized actions.
  • 📜 The API documentation, once found, provides crucial information on available API endpoints and methods (GET, DELETE, PATCH).
  • ⚠️ Lack of proper authorization checks allows attackers to exploit endpoints, leading to actions like unauthorized user deletion.
  • 📂 Fuzzing techniques can be used to discover hidden endpoints or documentation paths on a website.
  • 🗑 The attacker successfully deletes the user ‘Carlos’ using a DELETE request without any access control mechanism.
  • 🔑 Proper authentication, such as token-based authorization, can prevent such API exploits by ensuring user identity verification.
  • 🚫 API documentation should be restricted to authorized users, and sensitive endpoints (like admin actions) should not be exposed to normal users.

Q & A

  • What is the main concern when an attacker finds the API documentation of a property?

    -The main concern is that an attacker can gain a comprehensive understanding of how the API works and how it can be exploited, similar to how someone with malicious intent could exploit knowledge of a property's blueprint.

  • What is the goal of the lab demonstrated in the video?

    -The goal of the lab is to perform an unauthorized action, specifically to delete the user 'Carlos', by exploiting the API.

  • How does the video demonstrate the process of exploiting an API?

    -The video demonstrates exploiting an API by accessing a lab, using Burp Suite to capture endpoints, logging in with provided credentials, analyzing HTTP history to find API endpoints, and then fuzzing to find potential paths for documentation.

  • What tool is used in the video to capture and analyze API endpoints?

    -Burp Suite is used to capture and analyze API endpoints in the video.

  • What is the significance of the 'update email' functionality in the lab?

    -The 'update email' functionality is significant because it reveals an API endpoint that can be used to update a user's email, which is a potential vulnerability that can be exploited.

  • How does the video identify that the API is identifying users through their usernames?

    -The video identifies that the API is identifying users through their usernames by observing the path and parameters of the 'update email' endpoint, which includes the username as a string.

  • What is fuzzing in the context of API security?

    -Fuzzing in the context of API security is a technique where random or malformed data is sent to an API endpoint to see how it responds, which can help identify vulnerabilities.

  • How does the video find the API documentation?

    -The video finds the API documentation by guessing possible paths for documentation on a website and then manually testing them until the documentation is found.

  • What is the importance of the 'delete' endpoint found in the API documentation?

    -The 'delete' endpoint is important because it allows for the deletion of a user, which is the goal of the lab. It also highlights a lack of access control, as it can be exploited to delete any user.

  • Why was the video able to delete the user 'Carlos' without authorization?

    -The video was able to delete the user 'Carlos' without authorization because the API did not perform proper authorization checks, such as checking for an authentication token, to ensure that the request was made by an authorized user.

  • What measures can be taken to prevent unauthorized access to API documentation?

    -To prevent unauthorized access to API documentation, companies can restrict access by requiring authentication or using meta tags to prevent web crawlers from following the links.

Outlines

00:00

🔐 API Documentation Exploitation: Understanding Security Risks

The video introduces a scenario where an attacker gains access to a blueprint or API documentation, similar to finding a property blueprint to break into a house. The attacker can use this knowledge to exploit API vulnerabilities. The speaker uses a lab setup to demonstrate how an attacker could exploit an API based on its documentation. The objective is to delete a user named 'Carlos' by performing an unauthorized action, which is shown through the use of Burp Suite to capture endpoints, analyze login and email update functionality, and uncover API paths.

05:01

🛠️ Exploiting API Endpoints: Unauthorized Actions and Access Control Flaws

In this section, the video explains the process of identifying vulnerable API endpoints through an exploration of an API documentation. The lab demonstration shows how the username parameter is used for actions like email updates. By fuzzing API paths and finding the API documentation, the attacker discovers endpoints like GET, DELETE, and PATCH methods. The DELETE method is tested by sending a request to delete a user named 'Carlos,' and due to the lack of access control checks, the action succeeds, illustrating the security flaw of insufficient authentication mechanisms.

Mindmap

Keywords

💡API Documentation

API documentation is a detailed guide that provides information about how an API works, including available endpoints, methods, and expected inputs and outputs. In the video, it is emphasized that if attackers gain access to API documentation, they can understand the API's functionality and exploit it, similar to finding a blueprint of a property.

💡Endpoints

Endpoints are specific paths or URLs in an API that allow interaction with different functionalities, such as retrieving data or updating information. In the video, the speaker analyzes various endpoints like login and update email to understand how the API works and identify potential security vulnerabilities.

💡Unauthorized Action

An unauthorized action is an operation performed by a user who does not have the proper permissions to execute it. The video's main objective is to demonstrate how an attacker can perform unauthorized actions, such as deleting a user, by exploiting weaknesses in API documentation and lack of proper access controls.

💡Burp Suite

Burp Suite is a popular tool used for web application security testing. It intercepts and analyzes web traffic, allowing users to manipulate requests and discover security flaws. In the video, Burp Suite is used to capture API requests and identify potential vulnerabilities in the endpoints.

💡Access Control

Access control refers to security measures that restrict unauthorized users from accessing certain functionalities or data within an API. The video highlights a failure of access control where the API does not verify if the user has permission to perform certain actions, like deleting another user’s account.

💡Fuzzing

Fuzzing is a technique used to discover security vulnerabilities by inputting a large amount of random data into a system and observing its behavior. The video discusses using fuzzing to find undocumented or hidden API paths, which can then be exploited if they are not properly secured.

💡Patch Method

The PATCH method in APIs is used to update resources or data on the server. In the video, the PATCH method is shown updating a user's email address, highlighting how the API processes input and potentially revealing how an attacker might manipulate such requests.

💡Authentication Token

An authentication token is a digital key used to verify a user's identity and access permissions. In the video, the absence of an authentication token in requests is identified as a critical flaw, allowing unauthorized actions without proper identity verification.

💡REST API

REST (Representational State Transfer) is an architectural style for designing networked applications, relying on stateless, client-server communication. The video identifies the API being exploited as a REST API, which uses standard HTTP methods like GET, DELETE, and PATCH to interact with resources.

💡Security Vulnerability

A security vulnerability is a flaw or weakness in a system that can be exploited by attackers to gain unauthorized access or perform malicious actions. The video demonstrates how vulnerabilities, like poor access control and exposed API documentation, can be exploited to delete a user without permission.

Highlights

Understanding how attackers can exploit an API by simply reviewing its documentation.

Demonstration of using Burp Suite to capture and analyze API endpoints for potential vulnerabilities.

The goal of the lab exercise is to delete the user 'Carlos' by exploiting the API.

Capturing HTTP history to identify API endpoints used for logging in and updating user information.

Finding the API endpoint responsible for updating email using the PATCH method.

Observation that the API identifies users through their username in the request path.

Fuzzing different API paths to discover potential vulnerabilities in the API endpoint structure.

Using a word list to guess common API documentation paths on websites to find API documentation.

Successfully locating the API documentation on the web and identifying the available endpoints.

Discovering the DELETE method in the API, which can delete users using their username as a parameter.

Sending a DELETE request to remove user 'Carlos' without proper access control checks.

Identifying the lack of authorization in the API, allowing unauthorized users to perform critical actions.

Recommendation to secure API endpoints by adding authorization checks and access control.

Warning that sensitive API documentation should be restricted to authorized users to prevent exploitation.

Conclusion that API vulnerabilities often arise due to improper security measures like missing authentication tokens.

Transcripts

play00:00

imagine someone with malicious intent

play00:01

finding a blueprint of a property you

play00:03

own now they know all the possible paths

play00:06

to break into the property and discover

play00:08

the secret places similarly if the

play00:10

attacker finds the API documentation

play00:13

they can gain a comprehensive

play00:14

understanding of how the API works and

play00:17

how it can be exploited and that's what

play00:19

we're going to look in this video like

play00:22

how an attacker can exploit API just by

play00:25

looking at the API

play00:28

documentation for demonstration purpose

play00:30

I'll be using this lab from both suger

play00:32

that is exploiting an API and B using

play00:35

documentation so the goal of this lab is

play00:38

to delete the user Carlos so we need to

play00:41

perform an unauthorized action let's see

play00:44

how we can do that so first we need to

play00:46

access the lab I'm going to open this in

play00:49

a new tab and also let's turn on the

play00:53

burp Suite so we can capture all those

play00:55

end points and analyze

play00:58

it here we have the

play01:00

lab okay let's start it

play01:03

[Music]

play01:12

up okay burp is on I'm going to turn on

play01:16

the proxy now and we have to log in here

play01:19

we were provided credentials that is

play01:21

Wier and Peter so I'm going to type it

play01:24

here real

play01:25

[Music]

play01:27

quick don't save and we are logged in

play01:31

this is the email address we are

play01:33

provided with let's analyze the

play01:36

endpoints in HTTP history so here we

play01:40

have the login

play01:42

endpoint where we provided the username

play01:44

and password and then we have my

play01:47

account we don't seem to see any API

play01:51

endpoints though let's go to the

play01:54

tget and it doesn't have any

play01:58

either so so let's explore a little more

play02:01

we can see there's another functionality

play02:03

here that is update email so let's try

play02:07

to capture the request and see what it

play02:09

looks

play02:10

like let's just say

play02:13

Peter normal

play02:16

user. okay

play02:19

date and the email has been updated now

play02:23

let's check the proxy history

play02:26

again and here we have this endp point

play02:30

and now we can see the API endp Point

play02:31

API user winner so the sgtp method is

play02:37

patch and we can see that it is sending

play02:40

the email that we provided the new email

play02:44

in in the Json

play02:46

body and in the response we can see that

play02:50

the email has been updated thing that we

play02:52

can notice is that it's probably

play02:54

identifying user through their username

play02:57

I guess this is the username name that

play03:00

changes for every user when they try to

play03:02

update their email also we can notice

play03:05

the path so there are multiple ways we

play03:08

can fuzz for it for okay for example let

play03:11

me open my

play03:13

Notepad and

play03:17

here we can fuzz like this so first

play03:22

possibility is API user then fuzz if you

play03:26

know the possible username you can

play03:28

probably do it

play03:30

second possibility is API fuzz maybe you

play03:35

can find some more

play03:37

endpoints okay so as we know the goal of

play03:42

this lab is to find the documentation

play03:44

first

play03:46

right so first we have to think what are

play03:48

the possible paths for documentation in

play03:51

a

play03:53

website if you are not sure you can ask

play03:58

charity here I'm going to type give me a

play04:02

word

play04:04

list of all the

play04:07

possible API

play04:11

documentation path and uh

play04:14

[Music]

play04:16

website and here we can see some

play04:19

possible bads like these API SL dogs

play04:24

there are already less of them you can

play04:26

put them in a word list and then try to

play04:29

fuz for it or you can also do it

play04:32

manually since there are very less I'm

play04:34

going to try the first

play04:37

one

play04:49

okay okay and it worked we found the API

play04:52

documentation here and here we can see

play04:55

that this is arrest API which was

play04:57

actually

play04:58

obvious so there are three endpoints

play05:01

here with different SJP methods that is

play05:03

get delete and Patch the one we saw was

play05:06

this patch one when we tried to update

play05:09

the email which took the username here

play05:12

as string and in the parameters it took

play05:15

the

play05:15

email okay so there is another endpoint

play05:19

that is

play05:20

delete and it also takes the

play05:23

[Music]

play05:24

username we already analyzed this much

play05:27

right when we saw our username winner it

play05:30

was obvious that it was identifying the

play05:33

user according to their

play05:35

username

play05:36

so as we know the goal of this lab is to

play05:39

delete the user Carlos I'm going to send

play05:41

this request to

play05:43

repeater

play05:45

and type Carlos

play05:48

here and make this

play05:51

delete and remove this Jason

play05:55

body send this

play05:58

request and it says user deleted so

play06:01

because of the lack of Access Control we

play06:03

were able to perform this action because

play06:06

the backend is not checking if the user

play06:09

is who they claim to be it's not

play06:11

checking if Carlos is making this

play06:12

request because there is no

play06:15

authentication token or beer token to

play06:18

identify

play06:19

[Music]

play06:21

it and if you go back we can see that

play06:23

the lab is

play06:24

solved now if you are a company that

play06:27

provides an API as service to users and

play06:29

therefore must provide API documentation

play06:32

then it's totally fine you can do that

play06:34

the problem arises only when the API

play06:36

isn't secured and doesn't perform

play06:38

authorization checks properly like we

play06:40

saw in the previous scenario also if

play06:43

there are some inputs that you want to

play06:45

hide from normal users such as endpoints

play06:47

for administrator then you can restrict

play06:50

access to the API documentation

play06:52

specifically for admins by providing

play06:56

authentication or by using some meta

play06:58

tags so it doesn't get followed by the

play07:01

web crawlers okay that's it for this

play07:03

video I hope you enjoyed watching it and

play07:05

I'll see you in the next

play07:07

[Music]

play07:11

one

Посмотреть больше похожих видео

My Favorite API Hacking Vulnerabilities & Tips

Adding JWT Authentication & Authorization in ASP.NET Core

2024 Guide: Hacking APIs

ReactJS Music Player #4: Integrating the Spotify Api in our React App

The Logging And Monitoring Challenge (with Anuprita Patankar)

API designing: How to Design Best APIs | Best Practices | #api #backenddevelopment

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Связанные теги
API securitycybersecurityhacking APIsaccess controlAPI documentationauthorization checksweb vulnerabilitiesethical hackingsecurity labsAPI exploitation
Вам нужно краткое изложение на английском?