2024 Guide: Hacking APIs

00:00

this is the fifth and final week of the

00:02

five week program and if you've made it

00:04

this far congratulations and I really

00:06

hope the last 5 weeks have helped you or

00:08

push you towards becoming a better

00:10

hacker and hopefully you are one of the

00:12

select lucky people that had the ability

00:14

to find a vulnerability within the last

00:17

5 weeks in this video I'm going to talk

00:20

about the different approaches to API

00:23

hacking and I know is really hard to try

00:25

and put everything about AP hacking in

00:27

one video so bear with me I'm going to

00:29

try and un p a lot and hopefully by the

00:31

end of this video you get a better

00:33

understanding of how to approach an API

00:36

especially when it comes down to an

00:38

application that you have never worked

00:39

with when it comes down to looking at

00:41

apis there typically I want to say two

00:43

maybe two and a half different

00:44

approaches the half approach I'll

00:45

explain it just a bit but there are two

00:47

different approaches one is your typical

00:49

approach of having access to some sort

00:51

of an application this could be whether

00:53

the main application actually connects

00:55

to an API and interacts with it where

00:57

you can actually capture the HTP request

00:59

and look at it or it could be that you

01:02

have maybe a half UI or a broken UI that

01:05

loads a wide screen or maybe shows up a

01:07

little bit of information but you don't

01:09

get to have access to the full

01:11

application itself so that's like the

01:12

one and a half approach to API hacking

01:14

based on the UI then you can kind of

01:16

like go through the Javascript file and

01:18

break it apart and maybe get some of

01:20

those calls and base on those API routes

01:22

maybe you can uncover the additional APS

01:25

that are available the second approach

01:27

is very similar to using JavaScript

01:30

files to uncover more API routes and

01:32

it's just by brute forcing for files and

01:34

parameters and but you can also go after

01:37

looking for documentation whether it's

01:39

looking on GitHub or actually going on

01:40

that API set or your Target and looking

01:43

for API documentation through swager UI

01:46

or just any of these open API

01:48

documentation so in this video what

01:50

we're going to do is we're going to go

01:51

on to hacking Hub and launch our Hub

01:54

again you can always go into the 5we

01:57

program Hub on hacking Hub click on API

01:59

hack and follow along or if you just

02:01

want to watch me do my magic you're more

02:03

than welcome to do that and then you can

02:04

later on go and take a look at that Hub

02:06

yourself as I mentioned earlier you're

02:08

going to have times where you have the

02:10

actual application presented to you so

02:12

in this case I am looking at a website

02:14

and it's giving us everything we need we

02:16

can click on get started and maybe

02:17

create an account but sometimes you're

02:19

going to also see an application where

02:21

then it's not going to show you the

02:23

whole app it's going to be broken maybe

02:24

it just shows you an index file with

02:26

nothing being visible and you can right

02:27

click and look at the JavaScript I'll

02:29

show you that in just a SEC but here we

02:31

can actually see the application so I'm

02:32

going to just create an account really

02:33

quickly the hom SEC

02:36

test so now we can quickly fill this out

02:39

and sign up for an account and hit

02:40

register and now that we have an account

02:42

what I want to do is I want to make sure

02:44

we are intercepting everything for our

02:46

proxy tool right here and I'm going to

02:47

quickly just go to intercept and start

02:50

queuing because I want to kind of look

02:51

at what happens once I load the profile

02:54

page for example what are the different

02:56

API calls that that happen so in this

02:57

case what I can see is that app that the

03:00

domain that we have is making a request

03:02

to profile which is probably just a

03:04

static page but eventually it's going to

03:06

hit app.js we'll go look at that in just

03:08

a bit but now we can see that the API

03:10

naming convention is app- API domain

03:14

name and it's connecting to an API

03:16

version one it's heading me we're just

03:18

going to pass that forward maybe we can

03:20

actually use a respones to also see what

03:22

the response looks like so it's going to

03:23

come back we're going to go to response

03:25

Tab and we can see that the response is

03:27

just giving us our username our first

03:29

name all last name and date of birth so

03:31

we kind of can see what are the

03:33

different settings that it's allowing

03:34

what are the different methods that's

03:36

allowed for that particular endpoint but

03:37

we're just going to continue and drop

03:39

all this and see kind of what everything

03:41

else looks like so now we can kind of

03:42

take a look at creating post this

03:44

approach is what I do usually when I'm

03:46

given a application to hack on a lot of

03:49

times people just start looking at these

03:51

applications and they start filling it

03:52

out with a lot of different payloads but

03:55

what my Approach is when something has

03:57

an API behind it is just browsing the

03:59

website looking at how does it actually

04:01

create these different content while I

04:03

also insert my payload so right now I'm

04:05

going to create this post actually we're

04:07

not intercepting so we're going to make

04:08

another one we're going to oops let's go

04:10

back we're going to go back and edit

04:12

this now and see what it looks like so

04:14

if we edit what is the request look like

04:17

it'ss like it's sending a put request to

04:19

post that's the ID forour post and it

04:21

has a title and content but I want to

04:23

also look at what the response looks

04:24

like so I'm going to forward that come

04:26

here and see what the response is here I

04:28

can see public is is false and there's a

04:30

share URL so here is where objectives

04:33

become something in mind instead of

04:35

looking for vulnerabilities I start to

04:38

set myself objectives if I wanted to

04:40

hack this application and I see that

04:42

there is a public uh false or true for a

04:45

specific post how can I make another

04:48

user's post public while creating a

04:51

share URL for it so what we're going to

04:53

do here is we're going to make ours

04:54

public we're going to cue make it public

04:57

and we're going to take a look at the

04:58

response so the first and options we

05:00

don't care we're just going to send that

05:02

out then there's the share which is

05:03

public is true it's making a request to

05:06

the share endpoint on that specific post

05:09

and it's going to just flip that public

05:11

to true and right off the bat if we look

05:13

at the response we can kind of tell that

05:15

it's going to give us the share URL

05:17

which is probably how you can access

05:20

this specific post so in other ways what

05:22

I want to do here is how do I create a

05:25

post for another user and make it public

05:27

if that becomes a really good V ability

05:30

to look at so here's where you're going

05:31

to need to make two accounts test the

05:33

same functionality and see if you can

05:35

idore that share ID leak the URL for the

05:38

share post and then see if you can

05:40

access it so that's kind of the

05:41

objective that it comes with when you're

05:44

look at an API I see that this

05:45

functionality exists how do I abuse it

05:48

hacking apis isn't always about looking

05:49

for ssrf xss and just this basic Ido

05:53

vulnerabilities this is what people mean

05:55

when they say you want to understand the

05:57

functionality of a website understand

05:59

what it's supposed to do and what is it

06:00

not supposed to do and make that exactly

06:02

work so if it's not supposed to leak

06:04

another user's post for example you want

06:07

to exactly set that your objective to be

06:09

able to leak and other users for example

06:11

post in this case so the the other

06:13

approach is you actually have access to

06:16

look at the source of this so a lot of

06:18

times what you would see is you go to a

06:20

website maybe you you maybe you hit the

06:22

root folder and it brings you a blank

06:24

page and you don't see anything else but

06:26

if you click on the source of the page

06:28

and you navigate down below you can see

06:29

JavaScript out sometime it's app.js it

06:32

could be things like main with a has. JS

06:34

and when you click on it it is going to

06:36

bring you a very much uglier version of

06:39

what we have in front of us and

06:40

sometimes you can use things like JS

06:42

link finder you can use other

06:43

applications or BB Suite plugins to kind

06:46

of extract data from it one of the

06:48

things that I like to do usually is look

06:49

for keywords like get maybe keywords

06:52

like post put and see what it comes up

06:54

with so we can actually see if we can

06:56

come up with anything in here so we can

06:58

look for something like put and see what

07:00

comes up with it and we can put it in

07:01

quotes you can see right here it shows

07:03

API V1 meet takes a put request and you

07:07

can actually send this entire request to

07:09

it and this is how the request works if

07:10

you're not sure how to read JavaScript I

07:12

highly recommend getting familiar enough

07:14

at least to a point where you can read

07:16

this JavaScript code and go okay this is

07:18

the endo and this is what it requires

07:19

for me to do in order to have a valid

07:21

request but you also have the option to

07:23

just go into uh a chat GPT or an AI

07:26

model give it your entire request so in

07:29

this case I've copied one of the

07:30

functions in there and I'm just telling

07:31

it hey provide a valid HTP request for

07:34

this function you don't have to do

07:35

something fancy like this one you can

07:36

honestly just go into chat GPT and write

07:38

that out and it's going to come back and

07:39

say hey this is what you sent to API V1

07:43

me and this is the request body that

07:45

it's expecting and it's giving you a

07:46

sample version of it with email first

07:48

name last name and date of birth so

07:50

that's just an example of looking at it

07:51

the second thing that you want to take a

07:53

look at is also how do we authenticate

07:55

to this application when we reloaded

07:57

this page it does send a request to an

08:00

API but also it authenticates us with

08:03

this API token so what I will do usually

08:06

is send this request to my

08:09

repeater and you can actually test and

08:12

see if you can access some of this

08:14

information without having your API

08:16

token so if it actually loads this in

08:18

this case it didn't do it but sometimes

08:20

if that works without the API token you

08:22

also have found a vulnerability when

08:24

you're authorizing yourself to retrieve

08:26

data without being authenticated so this

08:28

is kind of like a having onof access to

08:31

an endpoint that leaks maybe pii or post

08:33

information or whatever it is but the

08:35

point of the API token is to also see if

08:37

you can find other apis within this

08:40

company's domain and access them with

08:42

that API token sometimes they make this

08:44

valid and it's being reused within other

08:46

applications where you can actually sign

08:48

into that other app or the other API

08:50

whether it's a Dev environment or some

08:51

other applications API because they you

08:54

reuse and assign the same token format

08:56

so in this case what we're going to do

08:57

is I know that since I've helped create

08:59

this CTF there is actually a second

09:02

domain I'm going to pull that up really

09:03

quickly so in this case we're going to

09:05

go to our second application and right

09:06

here we can see that if I hit this

09:09

domain it's going to come back and say

09:11

API server so this kind of looks like it

09:13

is a Dev instance of the last API and

09:15

what we want to do is want to try and

09:17

see if we can actually use this so what

09:19

I'm going to do here is I'm going to

09:21

actually go back to kaido and I am going

09:24

to just Swap this name right here to API

09:29

that's what the name of the domain is

09:30

right here oops let me go back one time

09:32

this is the a name of a domain right

09:34

here and we're going to change the host

09:37

name as well so we're going to add dashd

09:39

here and see if we can actually just hit

09:42

this API in point with the same

09:44

authentication token and see if it comes

09:46

back with anything and you can see right

09:47

here the same data is available on the

09:50

API Dev site as it is on the regular set

09:53

but a lot of times what people don't

09:55

expect to do here is look for additional

09:57

content so one of my favorite tricks to

09:59

do here here is I like to run this

10:00

through F so you can actually grab this

10:02

right here if you watch last week's

10:03

video you should kind of have an

10:05

understanding of how this works but I'm

10:06

going to just send it to word list my

10:08

custom word list maybe all. txt and I'm

10:11

going to say hey I want you to hit this

10:12

URL and we're going to actually give it

10:14

https and what we're going to do here is

10:16

we're going to authenticate ourselves so

10:17

I'm going to go in here and I'm going to

10:19

grab this Heather and say Hey I want to

10:22

send this custom Heather and I want to

10:25

also fuss for things here and now we're

10:26

going to be able to fuss for things and

10:28

we can see it's coming back with ap API

10:29

V1 that also exists an API V2 which if

10:33

we go back to our original post so right

10:35

here back to the app API without the dev

10:38

if I type in V2 we're going to see if it

10:40

exists or not and it looks like it

10:43

exists on this

10:45

site and we can do the same thing on the

10:47

other one so we can go back here API

10:53

V2 oops test out one more time it exists

10:56

on both what we want to do here is we

10:57

want to see if we can find additional

10:58

information on API V1 or V2 so I'm going

11:01

to just start with uh actually here I'm

11:04

going to let it do its thing and I'm

11:05

going to add recursion but actually

11:07

because I want to save some time on this

11:08

video I'm going to go directly to some

11:10

of the solution where which is in V2 so

11:12

I'm going to send this request to API V2

11:15

fuzz and it's going to come back and

11:17

find us API docs we already know post

11:19

existed but I want to kind of look at

11:20

what this API docs looks like a lot of

11:22

times finding an API docks is a gold

11:26

mine of information about a company's

11:28

API so I want to make it clear that

11:30

having API documentation on its own is

11:32

not a vulnerability however it is

11:34

something you can leverage to understand

11:36

how an application works in this case

11:38

you can see that we have V1 and V2 for

11:41

me there's also V1 V2 all these new

11:44

functionality all this actually old

11:45

functionality works on V1 and

11:48

V2 all the way down we can see there's

11:50

V2 API docs but this is when it gets

11:53

interesting because now we're uncovering

11:55

actual endpoints that is only accessible

11:59

through through V2 so it says V2 user ID

12:02

token and there is also ID reset and

12:05

these were things that we didn't see in

12:06

the past so it is very important for us

12:09

to be able to test them and we're just

12:10

going to keep this uh API token right

12:12

here and we're going to try one of these

12:13

end points and see if it actually works

12:16

now it come back and says method not

12:17

allowed so we can make make a post

12:19

request actually it shows that oh it

12:22

shows it right here this is what it

12:23

expects is to put post and option so

12:25

right here we can see that we're able to

12:26

reset a user's token by hitting that API

12:30

so the point that I make in this

12:31

scenario is that if you find an API if

12:34

you find maybe a Dev environment Brute

12:37

Force for any leads that you can either

12:39

it's recursively going after the

12:41

different paths and finding different

12:42

paths and endpoints for that API looking

12:44

for API documentation look for them and

12:47

actually put your API token in the

12:49

header and see if it works so that's

12:51

approach number two but there's also one

12:52

small little approach that I wanted to

12:54

cover before we wrap up this video and

12:56

that is actually looking at a blackbox

12:59

approach so now what we're going to do

13:00

is we're going to take a look at another

13:02

API we have created API d r and we're

13:05

going to do the same thing to our host

13:07

right here and again I know this

13:09

information because I've done my quote

13:10

unquote Recon on this target the Recon

13:12

here is that I've created this room

13:14

actually but I want to show you how it

13:16

works when you have another API under

13:19

another website that actually allows you

13:22

to use the same API token to access it

13:24

so right now we can hit API red maybe

13:26

it's Red API one more time red

13:32

API again we're getting an API server

13:35

this time I highly doubt that we're

13:36

going to get API documentation so what

13:38

we're going to do now here is we're

13:39

going to assume that our API token is

13:41

good this is kind of when you find out

13:42

and the more you screw around and the

13:44

more you find out we're going to send

13:46

this we're going to say fuzz for it it's

13:47

going to come back right off the bat

13:48

it's going to say hey API V1 and V2

13:50

exists there are different approaches

13:52

here you can Brute Force for both I

13:53

actually recommend doing it but for the

13:55

sake of this video and to save some time

13:57

what I'm going to do here is I'm going

13:58

to skip doing a AP I V1 because I do

14:00

know that api2 is the one that we're

14:02

after here but again if you're watching

14:04

this you want to go after api1 I highly

14:06

recommend it but we're going to fuzz for

14:08

our next one here the cool thing to do

14:10

here is actually you can actually do a

14:12

get request and see what comes back but

14:15

one of the things that I highly

14:16

recommend doing here is actually doing a

14:18

match and looking for anything that

14:20

comes back for 405

14:23

403 and 401 we can actually have 200 in

14:26

there as well and we actually do 41 52

14:29

let's do that one more time just in case

14:31

and the reason why we do this is again

14:33

we want when we look at hacking on apis

14:36

we want to look for objectives we want

14:38

to find endpoints that maybe we don't

14:39

have access to that we can later find a

14:41

way to access them and also if by adding

14:43

405 in here you're actually going to

14:46

uncover API endpoints that require

14:49

something other than a get request so if

14:51

you see right here if I didn't have my

14:52

45 I wouldn't find my register or

14:56

articles endpoint and that would have

14:58

been a missed opportunity so you want to

15:00

put the 405 and 415 those error codes in

15:03

there to make sure it uncovers and finds

15:05

you these different endpoints so what

15:08

you want to do now here we see that

15:09

articles exist you can actually do this

15:11

in burb seed or kaido whatever proxy

15:13

tools you use I actually like to do it

15:14

with curl I'm just going to quickly grab

15:17

uh grab my URL

15:20

here I'm going to actually add an ik to

15:22

this just so I can see their response

15:24

and ignore any SSL issues that we have

15:27

API V2 articles is the one that we're

15:30

going to take a look at it came back and

15:31

said 405 I want to kind of show you what

15:33

my Approach is when I see an endpoint

15:35

that says 405 what do I do what do I try

15:37

a lot of times I know people talk about

15:39

parameter brute forcing that is an

15:41

option you can do but what else you can

15:42

do here is we actually send this request

15:45

and kind of see and observe what it does

15:48

what is this wanting from us it says

15:50

first of all the method is not allowed

15:52

so we're going to go back and we're

15:53

going to add an X and specify what kind

15:56

of request you want to send it looks

15:58

like if we send an options maybe it

16:00

could tell us what it

16:02

expects it doesn't so we're going to go

16:04

back and maybe do a put request this

16:07

time we do Post first and now it says

16:11

required variable title this is what I

16:13

mean when I say you don't have to over

16:15

complicate things so in this example you

16:17

don't have to go ahead and do parameter

16:19

brute forcing sometimes a lot of these

16:21

apis are verbose enough to tell you

16:23

what's just missing so now we can

16:24

actually send the data for it we're

16:25

going to actually do a content type

16:29

added to this we're going to do Dash our

16:32

content type would be application Json

16:35

and the data would be actually sending

16:39

our

16:41

title let's just make sure we're doing

16:43

it right it's title and we want to send

16:45

test one two 3 and we're going to close

16:48

it out and see what comes back now it

16:50

says body cannot be empty so it looks

16:52

like it looks for a body here so we're

16:53

going to send body and we're going to

16:56

send another test one two three

16:59

and now it says article one created and

17:02

now we can actually go back to the

17:03

Articles and we're going to send the

17:05

same request we're going to go back to

17:07

the most basic form of it we no longer

17:09

need X options we're going to send it to

17:12

articles one and we can see that our

17:14

article was created and sometimes

17:16

actually a lot of times if you are going

17:18

from one application to another if this

17:20

application is not referenced anywhere

17:21

else and you kind of see it getting

17:24

access to n out of 10 times there is

17:26

functionality on there that is

17:27

vulnerable but what's really Co about

17:29

this one specifically that I want to

17:30

point out is if we hit our article V1 it

17:34

is really important to look at what does

17:36

this API come back and return my data in

17:39

and you can see right here it is coming

17:41

back as content text HTML which means

17:45

that if we actually are able to insert

17:48

HTML within this page it's no longer

17:50

going to look at this as a text format

17:52

so a lot of times when you see in a lot

17:54

of our previous tries right here for

17:56

example you can see the content type is

17:57

Json it's coming back it says text/html

18:00

in this case I cannot manipulate what

18:03

the server responds with let's look at

18:04

another one in the past that we looked

18:05

at here is another example we hit reset

18:10

but it's coming back and it's saying

18:11

application is Json and the content type

18:14

is Json which means if I replay this

18:16

request in my

18:18

browser and look at it on here you can

18:20

see that there's no HTML here that we

18:23

can manipulate this but also it's not

18:24

going to render this as HTML versus this

18:27

request right here if I put it in my

18:28

browser and I open it right here there's

18:30

no HTML currently but I'm going to send

18:32

that out with one more example let's do

18:34

this one more time hold if I send that

18:37

out with one more example right here and

18:38

we actually add some HTML into it and we

18:41

send it out for Article

18:44

2 we can say it's actually rendering our

18:47

HTML so this is a case of paying

18:50

attention to the small details that

18:51

comes back from this web server so if

18:53

you notice somewhere that an application

18:55

that is supposed to be an API and it's

18:57

expecting to return Pon format request

19:00

it's returning HTML how can I manipulate

19:03

the response whether it's causing an

19:04

error with our text that's reflected in

19:06

there or actually adding content that's

19:08

HTML within it and seeing if you can get

19:10

HTML back in the objective of getting

19:13

HTML injection which could be later

19:14

leverage for an account takeover

19:16

whatever else we're going to do within

19:17

this API I know there was a lot to

19:19

unpack this video but I wanted to kind

19:20

of showcase the different approaches

19:22

that comes to API and some of the common

19:25

mistakes that I've seen being made by a

19:28

lot of the hackers when it comes down to

19:30

looking at apis so if you're watching

19:32

this and you want to get better at API

19:33

hacking go to hacking Hub go launch this

19:35

exact Hub and kind of play around with

19:37

the API learn what an API looks like

19:39

what is it like to find and uncover

19:41

different endpoints and how to actually

19:43

create a valid request for an API

19:47

whether it's by using curl or using your

19:49

proxy like burp or kaido and and kind of

19:51

see if you can get used to creating your

19:52

own API request and then later translate

19:55

that into looking for vulnerabilities

19:58

all right that's it thank you so much

19:59

for sticking around for the last 5 weeks

20:01

I really hope this past 5 weeks have

20:03

been helpful and you had as much fun as

20:05

I did creating it for you all right

20:07

that's it I will see you all in next

20:09

week's video

20:11

[Music]

20:19

peace