The document provides a comprehensive overview of pentesting REST APIs, covering topics such as API fingerprinting, authentication and authorization attacks, brute force attacks, and traditional vulnerabilities like SQL injection and cross-site scripting. It outlines various attack vectors and mitigations for JWT and OAuth attacks, as well as the risks associated with targeting development and staging APIs. Additionally, it includes resources for further reading and examples of vulnerable test beds for practice.

1. PENTESTING REST API’S
~ GAURANG BHATNAGAR

2. AGENDA
▸ Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks

3. Security consultant at EY
Web and Mobile security
Researcher
Synack Red Team member
Google’s top 50 (VRP)
ABOUT ME

4. API - BRIEF OVERVIEW
API stands for Application Programmable Interface
API is used to exchange data between endpoints

5. API STANDARDS

6. REST API
REST - Representation State Transfer
Data is sent as JSON

7. FINGERPRINTING & DISCOVERING API

8. WHAT INFO YOU NEED TO KNOW?
Where is the API endpoint(s)?
How developer handle versioning?
What is the programming language(s) used?
How client authenticate to use the API?

9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH)
Bruteforce Parameter names (Parameth)
Analyse Javascript code (JS-scan or JSParser)
Dissect mobile app and retrieve hardcoded URL

10. DEBUGGING AND FUZZING
Debug API: Using Proxy

11. Debug API: API Testing Tools
DEBUGGING AND FUZZING

12. AUTOMATING TESTS: FUZZING
FUZZAPI

13. AUTHENTICATION ATTACKS ON API
JWT (JSON Web Tokens) attacks

14. BYPASSING THE ALGORITHM
HS256
RS256
None
RS256 HS256
Two key pair One key

15. CRACKING THE JWT SECRET
Dictionary attack
(https://github.com/Sjord/jwtcrack)
Bruteforce attack
(https://github.com/lmammino/jwt-cracker)

16. JWT ATTACK MITIGATION
Use random complicated key (JWT secret)
Force algorithm in the backend
Make token expiration (TTL,RTTL) short as possible
Use HTTPS everywhere to avoid MITM/Replay attack.

17. JWT ATTACKS TESTBED
https://pentesterlab.com/exercises/jwt

18. AUTHORIZATION ATTACKS ON API

19. HOW OAUTH WORKS?

20. OAUTH ATTACKS
Access token leakage (Via Open Redirect)

21. OAUTH ATTACKS
CSRF attack on OAUTH flow
https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account-
takeover/
Stealing Authentication code via XSS
https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
References for further reading:
https://sakurity.com/oauth
https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

22. MITIGATIONS
Always use SSL
Use State parameter to protect against CSRF.
Check your code for XSS vulnerabilities. One XSS code can
ruin everything.
Be up to date with protocol standards.

23. BRUTE FORCE ATTACKS ON API
Target:
Authentication (form-data/basic/digest)
Password reset tokens / 2FA
Tokens (Authentication / Authorization) like JWT
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-
your-facebook.html

24. MITIGATIONS
Limit retries for every username
Make authcode/tokens/reset codes expirations short as
possible
Don’t use easily bruteforce able codes (Ex. 4 digits auth
code)
Expire auth/reset codes after 1 time usage

25. ATTACKING DEV/STAGING/OLD API
Why we should target them?
Still in development stage (Full of bugs)
Deprecated but still works
Internal security team rarely tests old/dev api endpoints
Production measure disabled (Rate limit, Registration policy, etc.)
Debug in most cases is turned ON

26. 1. FINDING OLD API’S
API versioning
▸ Explicit URL
▸ Accept headers
▸ Custom headers
You can find it also in old documentation

27. 2. FINDING DEV/STAGING API’S
Subdomain Brute Forcing
Public record and search engines
Social Engineering

28. ATTACK FLOW
Find whether Old/Dev API is connecting to the same DB or
server as the production
Find weakness in the Old/Dev API
Use this weakness to affect the production API
https://hackerone.com/reports/157876

29. MITIGATIONS
Delete old API once became deprecated
Protect your dev/staging API with authentication or IP
restrictions
Add dev/staging API to your security scope

30. TRADITIONAL ATTACKS
API can be vulnerable to:
SQLi
RCE
XSS
IDOR
CSRF
XXE
and so on…

31. IDOR (INSECURE DIRECT OBJECT REFERENCE)
api.example.com/profile/UserId=123
Try changing to another valid UserId:
api.example.com/profile/UserId=456

32. BYPASSING IDOR VIA PARAMETER POLLUTION
api.example.com/profile/UserId=123
Try changing to:
api.example.com/profile/UserId=456&UserId=123

33. CROSS SITE SCRIPTING (XSS)
▸ Content-type: text/html

34. CROSS SITE REQUEST FORGERY (CSRF)
CSRF via XHR request
(When there is no Content-Type validation in place)
CSRF via flash and 307 redirect.
(When Content-Type is getting validated i.e application/
json)
▸ Note: If there is any additional CSRF token/referrer check
at place this attack will not work

35. XML EXTERNAL ENTITY (XXE)

36. XML EXTERNAL ENTITY (XXE)

37. XML EXTERNAL ENTITY (XXE)

38. VULNERABLE TEST BEDS
▸ https://github.com/snoopysecurity/dvws
▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/
▸ https://github.com/rapid7/hackazon
▸ https://github.com/bkimminich/juice-shop