Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: how to find hidden API interfaces ways to detect available methods and parameters fuzzing and pentesting techniques for API calls typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API

1. www.securing.pl
Mateusz Olejarka
REST API
Pentester’s
perspective
20.10.2017

2. www.securing.pl
KA-BOOM
Anand Prakash @sehacure

3. www.securing.pl
KA-BOOM
„Whenever a user Forgets his password on Facebook, he has an option to
reset the password by entering his phone number/ email address on:
https://www.facebook.com/login/identify?ctx=recover&lwv=110
Facebook will then send a 6 digit code on his phone number/email address
which user has to enter in order to set a new password.
I tried to brute the 6 digit code on www.facebook.com and was blocked after
10-12 invalid attempts.”

4. www.securing.pl
KA-BOOM
„Then i looked out for the same issue on beta.facebook.com and
mbasic.beta.facebook.com and interestingly rate limiting was missing on
forgot password endpoints.”

5. www.securing.pl

6. www.securing.pl
KA-BOOM

7. www.securing.pl
KA-BOOM

8. www.securing.pl
KA-BOOM

9. www.securing.pl
REST API
• Is everywhere (web&mobile)
• Is build on top of existing applications
• More and more companies allow to use it’s API
• Applications are more interconnected
• Microservices

10. www.securing.pl
REST API
https://www.mobapi.com/history-of-rest-apis/

11. www.securing.pl
• Senior IT Security Specialist, SecuRing
• Web & mobile application security
• OWASP Poland member
• Ex developer
• Bug hunter
Who am I

12. www.securing.pl
• REST API 101
• Finding endpoints
• Finding docs
• Finding sample calls
• Finding keys
• 2 more examples
• Q&A
Agenda

13. www.securing.plwww.securing.pl
REST API 101

14. www.securing.pl
REST API 101
• REST – representational state transfer
• Data usually is sent as JSON
• HTTP methods have a meaning (usually):
• GET - list (collection), retrieve data (element)
• PUT – replace (all data is changed)
• PATCH – update
• POST – create (new element)
• DELETE

15. www.securing.pl
REST API 101

16. www.securing.pl
• Get endpoints
• Get docs
• Get keys/credentials
• Get sample calls !!
REST API Pentest

17. www.securing.pl
• Sometimes no known endpoints
• Sometimes no docs
• Sometimes no keys/credentials
• Sometimes no sample calls !!
REST API Bug bounty

18. www.securing.plwww.securing.pl
FINDING ENDPOINTS

19. www.securing.pl
• /
• /api/
• /v1/
• /v1.0/
• /v1.1/
• /api/v1/
• /api/v2
Finding endpoints

20. www.securing.pl
• /
• /api/
• /v1/
• /v1.0/
• /v1.1/
• /api/v1/
• /api/v2
Finding endpoints

21. www.securing.pl
• /
• /api/
• /v1/
• /v1.0/
• /v1.1/
• /api/v1/
• /api/v2
Finding endpoints

22. www.securing.pl
• /ping
• /health
• /status
• …
• Dictionaries for directories and filenames will help
Finding endpoints

23. www.securing.pl
• /ping
• /health
• /status
• …
• Dictionaries for directories and filenames will help
Finding endpoints

24. www.securing.pl
• /ping
• /health
• /status
• …
• Dictionaries for directories and filenames will help
Finding endpoints

25. www.securing.pl
• /ping
• /health
• /status
• …
• Dictionaries for directories and filenames will help
Finding endpoints

26. www.securing.pl
Spring Boot Actuator

27. www.securing.pl
Spring Boot Actuator

28. www.securing.pl
• Interesting endpoints:
• /actuator
• /health
• /trace
• /logfile
• /metrics
• /heapdump (Spring MVC)
Spring Boot Actuator

29. www.securing.pl
• Interesting endpoints:
• /actuator
• /health
• /trace
• /logfile
• /metrics
• /heapdump (Spring MVC)
Spring Boot Actuator

30. www.securing.pl
• Interesting endpoints:
• /actuator
• /health
• /trace
• /logfile
• /metrics
• /heapdump (Spring MVC)
Spring Boot Actuator

31. www.securing.plwww.securing.pl
HEAP DUMP LIVE DEMO

32. www.securing.plwww.securing.pl

33. www.securing.plwww.securing.pl
FINDING DOCS

34. www.securing.pl
• /api-docs
• /application.wadl
• /doc
• /docs
• /swagger-ui.html
• /swagger.json
Finding docs:

35. www.securing.pl
• /api-docs
• /application.wadl
• /doc
• /docs
• /swagger-ui.html
• /swagger.json
Finding docs:

36. www.securing.plwww.securing.pl
SOAP UI LIVE DEMO

37. www.securing.pl
• /api-docs
• /application.wadl
• /doc
• /docs
• /swagger-ui.html
• /swagger.json
Finding docs:

38. www.securing.pl
• /api-docs
• /application.wadl
• /doc
• /docs
• /swagger-ui.html
• /swagger.json
Finding docs:

39. www.securing.plwww.securing.pl
SWAGGER LIVE DEMO

40. www.securing.plwww.securing.pl
FINDING SAMPLE CALLS

41. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

42. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

43. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

44. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

45. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

46. www.securing.pl
• Still no docs?
• Error messages to the rescue!
Finding sample calls

47. www.securing.pl
• Still no docs?
• Error messages to the rescue!
• Brute force parameter names!
Finding sample calls

48. www.securing.pl
• Still no docs?
• Error messages to the rescue!
• Brute force parameter names!
• Analyze JS code (see JS-Scan)
• Dissect mobile app ( Apk-Scan for Android apps hadrcoded URL’s)
Finding sample calls

49. www.securing.plwww.securing.pl
FINDING KEYS

50. www.securing.pl
Finding keys
• Check mobile application
• Check GitHub (truffleHog to the rescue):
• Scan public repos of a company
• Scan public repos of a company devs

51. www.securing.pl
Finding keys

52. www.securing.pl
Finding keys
• Check mobile application
• Check GitHub (truffleHog to the rescue):
• Scan public repos of a company
• Scan public repos of a company devs

53. www.securing.pl
Finding keys
• Check mobile application
• Check GitHub (truffleHog to the rescue):
• Scan public repos of a company
• Scan public repos of a company devs

54. www.securing.pl
Finding keys

55. www.securing.plwww.securing.pl
2 MORE EXAMPLES

56. www.securing.pl
#1 Jolokia

57. www.securing.pl
„Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It
is an agent based approach with support for many platforms. In addition to
basic JMX operations it enhances JMX remoting with unique features like
bulk requests and fine grained security policies.”
#1 Jolokia

58. www.securing.pl
„Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It
is an agent based approach with support for many platforms. In addition to
basic JMX operations it enhances JMX remoting with unique features like
bulk requests and fine grained security policies.”
https://example.com/jolokia/write/Tomcat:port=19880,type=Connector/xp
oweredBy/true
#1 Jolokia

59. www.securing.pl
„Jolokia is a JMX-HTTP bridge giving an alternative to JSR-160 connectors. It
is an agent based approach with support for many platforms. In addition to
basic JMX operations it enhances JMX remoting with unique features like
bulk requests and fine grained security policies.”
https://example.com/jolokia/write/Tomcat:port=19880,type=Connector/xp
oweredBy/true
X-Powered-By:Servlet/3.1 JSP/2.3 (Apache Tomcat/8.0.20 Java/Oracle
Corporation/1.8.0_60-b27)
#1 Jolokia

60. www.securing.pl
#1 Jolokia

61. www.securing.pl
#2 REST API wrongly placed

62. www.securing.pl
#2 REST API wrongly placed
• A form

63. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA

64. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA
• Secured (no way to brute force ID)

65. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA
• Secured (no way to brute force ID)
• A mobile app with the same feature

66. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA
• Secured (no way to brute force ID)
• A mobile app with the same feature
• No CAPTCHA

67. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA
• Secured (no way to brute force ID)
• A mobile app with the same feature
• No CAPTCHA
• No rate limiting

68. www.securing.pl
#2 REST API wrongly placed
• A form
• Putting ID and solving CAPTCHA
• Secured (no way to brute force ID)
• A mobile app with the same feature
• No CAPTCHA
• No rate limiting
• Brute force &profit report to client !

69. www.securing.pl
Summary
• Find endpoints
• Find docs
• Find sample calls
• Find keys
• Fuzz

70. www.securing.plwww.securing.pl

71. www.securing.pl
• SOAP UI https://www.soapui.org/
• Postman https://www.getpostman.com/
• Fuzzapi https://github.com/Fuzzapi/fuzzapi
• Swagger Parser (Burp Suite plugin)
• TruffleHog https://github.com/dxa4481/truffleHog
• JS-Scan https://github.com/zseano/JS-Scan
• Apk – Scan https://apkscan.nviso.be/
Tools

72. www.securing.pl
That’s all folks
mateusz.olejarka@securing.pl / @molejarka