An API (application programming interface) is a means for making data available to a web application. Traditionally, when a server loaded a web page, it would just load any necessary data straight from the database. However, this approach has some limitations. From an engineering point of view, it’s desirable to separate the presentation code from the logical part that deals with acquiring and aggregating data. There are a lot of other benefits, and if this were a software engineering guide, we’d focus on that. We can skip all of that and focus on practical API testing for hackers.
In this article, we want to give you the tools needed to begin doing practical security work on web APIs. To start out, we’ll begin by teaching you how to interact with APIs on websites you’ve probably used. Then, we’ll show you how to find common exploits in them. Finally, we’ll lead you to high quality resources for continuing your studies of API security.
Let’s dive right in!
Interacting with APIs
There are three major formats for APIs: REST, SOAP, and GraphQL. Of these, REST is by far the most common, so that’s what we’ll focus on for the rest of this article. We won’t go into a full REST tutorial, because that would be too lengthy. Suffice it to say that rest lets you get data from a server using HTTP GET requests, post data to a server using HTTP POST requests, and do other things like delete data, also using semantically named HTTP requests. You can find a more in-depth overview here: https://restfulapi.net/
To give you an example, we can go on any modern website and see how it interacts with its API. Let’s use Twitter as an example. We can load the website and open our browser’s developer tools to find API calls:
From here, we can inspect the request and see precisely what data is flowing between the browser (frontend) and API (backend). As pentesters, we’re likely interested in experimenting with these requests and seeing what happens if we mess with some specific chunk of data in the request. Luckily, the browser makes that easy. We can right click on the request and export it as a curl command.
With the command copied, we can modify it however we like and run it on the command line to observe the output. Using curl this way can be a bit tedious, so it’s often convenient to explore APIs from a graphical interface. For that purpose, check out Postman, an API exploration tool built for devs (but also very useful for hackers!).
Interacting with APIs from Postman
You can download this tool for free from their official website at https://getpostman.com. Once you download and install the tool, and it looks like this:
With this knowledge and tool set under your belt, you’re ready to advance from interacting with APIs to actually hacking them.
Pentesting APIs
To start pentesting APIs, we should cover the three most common vulnerabilities:
- SSRF (server side request forgery): Convincing the server to initiate requests on the attacker’s behalf.
- DoS (denial of service): Crafting a malicious request that makes the API inaccessible to some users.
- IDOR (insecure direct object reference): Tricking the API into providing access to an unauthorized resource to an authenticated user.
Later on, we’ll provide resources for you to learn more about these API issues, along with many others. For now, let’s pick one of these and walk through it. We’ll go with SSRF.
Highlighting SSRF in API testing
Like we briefly noted above, an SSRF (Server-Side Request Forgery) attack happens when a hacker (such as yourself) tricks a server into making a request to a different website or server that it shouldn’t. What does this look like in practice? Imagine you have a website that can fetch images from the internet and show them to users. Normally, this is a handy feature. But in an SSRF attack, a hacker sends a special request to your website, asking it to fetch something from a place it’s not supposed to. For example, they might ask it to grab sensitive data from an internal database or system that’s usually off-limits.
The server, thinking it’s just a regular request, goes ahead and fetches the data. The hacker then gets access to this information, which could be confidential or harmful if exposed. It’s like convincing a delivery person to pick up a package from a restricted area by pretending it’s part of their normal route. To prevent SSRF attacks, it’s important to have checks in place that ensure the server only makes requests to safe and intended locations.
API testing learning resources
Before you begin worrying about finding bug bounties in web APIs, it’s crucial to gain at least a basic idea of how to create them. To make this happen, you need to already know a little about code. Not a lot, but enough. If you don’t know how to code, you can skip this step and just focus on learning HTTP and REST, at the very least.
If you know Python, your best bet is to start with Flask. Although slightly less popular than Django, it’s much easier for beginners, and takes less time to learn. Start learning Flask from the official docs, found here: https://flask.palletsprojects.com/en/3.0.x/
If you know JavaScript, you’ll want to start with Express. It’s the most popular API framework for Node.js by a significant margin, and is pretty easy to learn even if your JS knowledge is basic. You can get started learning Express here: https://expressjs.com/en/starter/installing.html
Once you’ve played around with some starter projects, you should also learn a bit about using other people’s APIs. You can find a big list of free, public APIs on this Github page: https://github.com/public-apis/public-apis
After you have gained a solid grasp of APIs, you can begin to approach them from a security perspective. Start with OWASP’s guide to API security, which you can find here: https://owasp.org/API-Security/. You should use the exploits described there to find bugs in other projects you’ve built and explored. Finally, you should be ready to begin API testing in a production environment.
Leave a Reply