My Favorite API Hacking Vulnerabilities & Tips

00:00

apis are everywhere and if you don't

00:02

know how to approach an API and find

00:04

vulnerabilities then you are definitely

00:07

missing out in a lot of bugs whether

00:08

you're bug bounty hunter pentester or

00:10

just a web security Enthusiast before we

00:12

jump into the video though I'm going to

00:13

quickly do a Shameless plug a lot of you

00:15

guys have been asking for an update to

00:16

the udmi course it is here if you have

00:18

udmi access already it is there you can

00:20

go get it for free it's a part of what

00:22

you have purchased for in the past if

00:23

you don't have access you want to get it

00:25

there's a ton of new content on xss CSP

00:28

client side vones csrf you name it it is

00:31

also going to be updated three more

00:32

times in the next 6 months all you have

00:34

to do is click on the link down in the

00:36

description or the pin comments and get

00:38

it for half off as of today all right

00:40

now let's jump into the video well in

00:42

this video I want to talk about some of

00:43

my favorite vulnerabilities that I look

00:45

for in an API how to look for him how to

00:47

approach him and why are these the ones

00:49

that I go through starting with your

00:51

generic OAS top 10 because I want to get

00:53

this out of the way but the generic o

00:55

top 10 is the vulnerabilities like your

00:56

xss your idors you want to look for your

00:58

ssrf any abilities that you would find

01:01

in a traditional application you also

01:04

want to look for those in an API because

01:06

the API is the backend of this system so

01:10

any vulnerabilities that is covered in

01:12

an OAS top 10 or any version of OAS top

01:15

10 then it is kind of also applicable to

01:18

uh an API I don't want to cover this

01:20

because I feel like there's a lot of

01:21

content around looking for these

01:24

traditional web WS on an API so I want

01:27

to kind of take a deeper approach to

01:28

hacking API and kind of show you what is

01:31

the vulnerability that I look for so I

01:32

wanted to kind of get that out of the

01:33

way but now let's talk about the

01:35

additional vulnerabilities starting with

01:37

looking at authentication

01:39

vulnerabilities because authentication

01:40

is a thing that I think scares off a lot

01:42

of hackers when it comes down to looking

01:44

for vulnerabilities and by that I mean a

01:46

lot of times hackers find an API where

01:48

they can't authenticate to maybe it

01:50

requires some credentials and a lot of

01:52

people actually don't look for them and

01:54

there's a lot of ways you can actually

01:55

do that the obvious approach to looking

01:57

for credentials for an API is just

01:59

obviously going on GitHub doing the

02:00

generic putting the URL of that website

02:03

or that specific API into the search and

02:06

looking and seeing if anything has been

02:07

leaked but that only works if that

02:10

specific domain or subdomain has been

02:12

mentioned in a repo and if it has then

02:15

you can look for this keys and pull them

02:16

out and use them but also the other

02:18

thing that you can do is looking at

02:19

specific header names or cookie value so

02:21

if a cookie value has something very

02:23

unique to this application or to this

02:25

website or this company also you want to

02:26

look for that and see if you can't find

02:28

anything but I feel like GitHub is been

02:30

the easiest to clean up a lot of

02:32

companies are more aware of leaking

02:33

credentials on GitHub and a lot of

02:35

hackers are looking for it but I think

02:36

something that's not fully covered yet

02:38

is Postman actually you can go on

02:39

Postman and use something like porsch

02:41

pirate I think that's what the tool is

02:42

called it's been an amazing one that

02:43

it's in my toolkit that I use but you

02:45

can just type in a search for a company

02:47

name and relate it to this specific

02:48

asset but this is just also very noisy

02:50

so you have to do a lot of manual work

02:52

or just have some scripts or wrappers

02:54

around this tool that's going to clean

02:56

it up and give you better results but

02:57

Postman is a really good place because a

02:59

lot of times people just dump their API

03:01

specs into a file and then they just

03:03

post it on post man.com and they forget

03:05

that their keys may have been hardcoded

03:06

this has got me some really cool

03:08

bounties and even if I haven't gotten

03:09

any bounties then it's giving me access

03:11

to a lot of cool assets that I've played

03:13

around with and it's generated leads for

03:15

me so keep that in mind that is one

03:17

approach you can look at Postman GitHub

03:19

past spins go on Google and do some

03:21

Google dking but always remember that

03:23

there's always a way to get into these

03:25

applications whether it's self-

03:26

registration or looking for credentials

03:28

so if you see something that requires

03:29

you to be authenticated don't get scared

03:31

find a way to get authenticated the

03:32

second one and it's kind of hand inand

03:34

with this specific vulnerability type is

03:37

using X forwarded like headers to bypass

03:40

authentication because sometimes a lot

03:42

of these applications are whitelisting

03:44

or allowing specific IP addresses

03:46

whether that's a local host or whether

03:48

is the range of the VPN that this

03:51

company uses so if you can find a way of

03:53

finding out what is the IP range that

03:55

they use or you can Brute Force for it

03:56

or just maybe put Local Host in there

03:58

this will get you past the first authen

03:59

iation mechanism and then you have to

04:01

battle the whatever is behind that

04:03

specific authentication method so one of

04:05

the examples that I have recently in my

04:07

Discord some of the hackers that I work

04:08

with found this asset on a bug Bounty

04:10

program and not I was authenticated and

04:12

somehow somebody put an X forwarded for

04:14

header on there and it's put out a

04:16

different error message than the one

04:17

that we were seeing previously and by

04:19

seeing the different behavior on the

04:22

application based on this specific

04:24

Heather then we were able to log in and

04:26

feed that application into FFF and then

04:28

find additional endpoints points that

04:30

were vulnerable so that's one example of

04:32

it that you can do so maybe your

04:34

approach to getting authenticated isn't

04:36

to find credentials or to sign up and

04:38

get a actual uh cookie but you can find

04:41

other headers including x44 and

04:44

everything else that's similar to it

04:45

that will list down below that you can

04:47

use to bypass authentication so far we

04:50

have taken care of authentication and

04:52

now we need to talk about authorization

04:54

there's a difference between the two

04:55

authentication is how you log in how you

04:57

get past the login on this application

05:00

versus authorization to me is being

05:02

authorized to use a specific resource

05:05

with authorization there's two different

05:06

vulnerability types that come in the

05:08

first one just being looking for onof

05:11

pads which means unauthenticated pads

05:13

you can access that may have juicing

05:16

information and require to be authorized

05:18

or have some sort of a leverage access

05:21

to be able to access that so for example

05:23

think about a endpoint that may be maybe

05:26

a list of users that this application is

05:29

supposed to have access to but somehow

05:31

or just by directly going to that list

05:33

you can get a list of that user for that

05:35

application you want to look at that

05:36

because the difference between reporting

05:38

that vulnerability as a hey information

05:40

disclosure it leaks a list of users

05:42

versus hey information disclosure it

05:45

leaks the list of users to an onof user

05:48

those two have different severity levels

05:50

and and obviously you want to make sure

05:51

you look out for those so anytime you

05:53

find a vul ability or you find an

05:54

endpoint that is Juicy that is

05:56

interesting it doesn't have to be a get

05:58

request it could actually be a post you

05:59

can just remove the cookie or you can

06:00

remove your o token or the beer token

06:03

whatever it is that you're authorizing

06:04

yourself within the application and see

06:06

if you can access that inpoint without

06:08

the authorization header that has been a

06:11

good place for me to double my bounties

06:13

or actually escalate my bounties so keep

06:15

that in mind but there's also another

06:17

approach to authorization the second

06:19

layer of authorization isn't applicable

06:21

to a lot of apis but my favorite thing

06:24

to do with authorization vulnerabilities

06:26

is testing privilege escalation with

06:29

different users so this is kind of

06:30

similar to the last one but it requires

06:32

this to have different user types so for

06:34

example think of this as an HR program

06:36

this HR program or application allows

06:39

you to have maybe a member a manager and

06:41

maybe some HR Manager for example you

06:43

want to be able to test out every single

06:45

functionality within each of those

06:48

different user levels and see which ones

06:50

you have access to which ones you can

06:51

use and which ones you cannot use a lot

06:53

of times I feel like a lot of

06:54

organizations introduce new

06:56

functionalities into these applications

06:58

and they completely forget to look for

07:00

the different access controls or

07:01

different access levels that these users

07:03

have actually Archangel Douglas day has

07:06

a really good talk from the hamcon last

07:07

year that he did on this I'll link it

07:09

down below take a look at it but the

07:10

approach to this is you make a list of

07:12

all the different functionalities

07:13

starting with the admin the highest

07:15

level of access that you have and then

07:16

you look at the different documentation

07:18

and you mark which ones are supposed to

07:20

have access to what so for example if

07:22

you have something like submit an

07:23

expense you want to make sure that you

07:24

know an admin can submit an expense and

07:26

a user can insult on a manager so those

07:28

are applicable to to three users but

07:30

maybe the different functionality that

07:32

isn't meant to be for all three is

07:33

adding a user to the organization maybe

07:35

the admin is the only one that can do

07:36

that not the manager and not the

07:37

different users that you have but you

07:39

want to test out that functionality with

07:40

the other two lower level privileges so

07:43

that is a really good place it's very

07:44

very manual and it's a lot of like work

07:46

to do but a lot of people skip it

07:48

because it's it's a lot of Labor it's a

07:49

lot of time but that's why you find

07:51

better bugs if you spend the time to

07:53

actually understand the application and

07:55

understand the logic of this application

07:56

in order to look for vulnerabilities and

07:58

I kept the best for Last by keeping the

08:00

xss or maybe not even xss per se but

08:04

looking at the content type of these

08:06

apis for last because that is also one

08:08

of the most underrated vulnerability

08:10

types that a lot of people miss and

08:11

that's because when you're interacting

08:13

with an API a lot of times you expect

08:14

the API to return a value in Json format

08:18

and if you're not familiar with this any

08:19

API that comes back it's supposed to

08:20

give you a text it's supposed to be Json

08:22

and if you have HTML within a Json

08:24

content type then that HTML is not going

08:27

to render but what I've noticed a lot of

08:28

times is companies actually mess this up

08:31

and they return an HTML within that

08:33

response then the HTML will render and

08:34

if you put cross scripting there it

08:36

could fire the challenge here is to find

08:38

a way for your HTML to get in the

08:40

response sometimes you can't do that

08:42

because of the uh nature of the

08:43

application but that is what makes it

08:45

really really fun so the first thing you

08:47

want to do here is you want to find a

08:49

API end point that returns as the

08:51

content type set to HTML then you want

08:53

to find how can I get my input whether

08:55

it's my path maybe it's something that I

08:57

put in the post data or in the get

08:58

request how can I get this input to

09:01

reflect in the response while the

09:04

content type is set to HTML those make

09:06

for some really really cool vs and a lot

09:07

of cool challenges and then fuzzing that

09:09

endpoint and seeing if there are any

09:11

parameters or any way of getting an

09:13

error that's going to just return

09:15

whatever you have given it in the

09:16

response they've been really really cool

09:17

I found a ton of those in the past

09:19

they're still very very valid but I feel

09:21

like a lot of hackers missed that

09:22

because you have to pay attention to the

09:24

content t and a lot of time people don't

09:26

look at it in that's why a lot of the

09:27

top hackers and a lot of the better

09:29

hackers

09:29

when because they are paying attention

09:31

to small details but that's pretty much

09:33

all the ru and ability that I think I

09:35

want to cover for this episode there is

09:37

one more there is path traversal if you

09:39

want to see a full video on path

09:40

traversal or graphql next drop me a

09:43

comment maybe I'll do one or the other

09:44

maybe I do both that depends on how many

09:46

comments we get so drop me a comment let

09:47

me know which one you want to see next

09:49

and if you haven't already do me a favor

09:51

hit that like hit that subscribe button

09:53

and becomeing that homie and I will see

09:54

you all in the next video peace