SlideShare a Scribd company logo

Pentesting Rest API's by :- Gaurang Bhatnagar

OWASP Delhi
OWASP Delhi

Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks

Internet
1 of 38
Download to read offline
PENTESTING REST API’S ~ GAURANG BHATNAGAR
AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
API STANDARDS
REST API REST - Representation State Transfer Data is sent as JSON
FINGERPRINTING & DISCOVERING API
WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

Debug API: API Testing Tools DEBUGGING AND FUZZING
AUTOMATING TESTS: FUZZING FUZZAPI
AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
BYPASSING THE ALGORITHM HS256 RS256 None RS256 HS256 Two key pair One key
CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
JWT ATTACKS TESTBED https://pentesterlab.com/exercises/jwt
AUTHORIZATION ATTACKS ON API
HOW OAUTH WORKS?
OAUTH ATTACKS Access token leakage (Via Open Redirect)
OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 

Recommended

OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
Isabelle Mauny
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
n|u - The Open Security Community
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
IndusfacePvtLtd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Rest API
Rest APIRest API
Rest API
Rohana K Amarakoon
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
Ken Yee
 

More Related Content

What's hot

Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 

What's hot (20)

Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Rest API
Rest APIRest API
Rest API
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 

Similar to Pentesting Rest API's by :- Gaurang Bhatnagar

apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 

Similar to Pentesting Rest API's by :- Gaurang Bhatnagar (20)

2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons LearntOracle API Platform Cloud Service Best Practices & Lessons Learnt
Oracle API Platform Cloud Service Best Practices & Lessons Learnt
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Java Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and MobileJava Test Automation for REST, Web and Mobile
Java Test Automation for REST, Web and Mobile
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
Profiling PHP - AmsterdamPHP Meetup - 2014-11-20
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
 
API Testing and Hacking (1).pdf
API Testing and Hacking (1).pdfAPI Testing and Hacking (1).pdf
API Testing and Hacking (1).pdf
 
API Testing and Hacking.pdf
API Testing and Hacking.pdfAPI Testing and Hacking.pdf
API Testing and Hacking.pdf
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 

Recently uploaded

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 

Recently uploaded (13)

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 

Pentesting Rest API's by :- Gaurang Bhatnagar

  • 1. PENTESTING REST API’S ~ GAURANG BHATNAGAR
  • 2. AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
  • 3. Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
  • 4. API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
  • 6. REST API REST - Representation State Transfer Data is sent as JSON
  • 8. WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
  • 9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
  • 10. DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

  • 11. Debug API: API Testing Tools DEBUGGING AND FUZZING
  • 13. AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
  • 15. CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
  • 16. JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
  • 20. OAUTH ATTACKS Access token leakage (Via Open Redirect)
  • 21. OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

  • 22. MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
  • 23. BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

  • 24. MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
  • 25. ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
  • 26. 1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
  • 27. 2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
  • 28. ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
  • 29. MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
  • 30. TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
  • 31. IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
  • 32. BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
  • 33. CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
  • 34. CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
  • 38. VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop