Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
2. AGENDA
▸ Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
3. Security consultant at EY
Web and Mobile security
Researcher
Synack Red Team member
Google’s top 50 (VRP)
ABOUT ME
4. API - BRIEF OVERVIEW
API stands for Application Programmable Interface
API is used to exchange data between endpoints
8. WHAT INFO YOU NEED TO KNOW?
Where is the API endpoint(s)?
How developer handle versioning?
What is the programming language(s) used?
How client authenticate to use the API?
9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH)
Bruteforce Parameter names (Parameth)
Analyse Javascript code (JS-scan or JSParser)
Dissect mobile app and retrieve hardcoded URL
16. JWT ATTACK MITIGATION
Use random complicated key (JWT secret)
Force algorithm in the backend
Make token expiration (TTL,RTTL) short as possible
Use HTTPS everywhere to avoid MITM/Replay attack.
21. OAUTH ATTACKS
CSRF attack on OAUTH flow
https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account-
takeover/
Stealing Authentication code via XSS
https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
References for further reading:
https://sakurity.com/oauth
https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
22. MITIGATIONS
Always use SSL
Use State parameter to protect against CSRF.
Check your code for XSS vulnerabilities. One XSS code can
ruin everything.
Be up to date with protocol standards.
23. BRUTE FORCE ATTACKS ON API
Target:
Authentication (form-data/basic/digest)
Password reset tokens / 2FA
Tokens (Authentication / Authorization) like JWT
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-
your-facebook.html
24. MITIGATIONS
Limit retries for every username
Make authcode/tokens/reset codes expirations short as
possible
Don’t use easily bruteforce able codes (Ex. 4 digits auth
code)
Expire auth/reset codes after 1 time usage
25. ATTACKING DEV/STAGING/OLD API
Why we should target them?
Still in development stage (Full of bugs)
Deprecated but still works
Internal security team rarely tests old/dev api endpoints
Production measure disabled (Rate limit, Registration policy, etc.)
Debug in most cases is turned ON
26. 1. FINDING OLD API’S
API versioning
▸ Explicit URL
▸ Accept headers
▸ Custom headers
You can find it also in old documentation
27. 2. FINDING DEV/STAGING API’S
Subdomain Brute Forcing
Public record and search engines
Social Engineering
28. ATTACK FLOW
Find whether Old/Dev API is connecting to the same DB or
server as the production
Find weakness in the Old/Dev API
Use this weakness to affect the production API
https://hackerone.com/reports/157876
29. MITIGATIONS
Delete old API once became deprecated
Protect your dev/staging API with authentication or IP
restrictions
Add dev/staging API to your security scope
34. CROSS SITE REQUEST FORGERY (CSRF)
CSRF via XHR request
(When there is no Content-Type validation in place)
CSRF via flash and 307 redirect.
(When Content-Type is getting validated i.e application/
json)
▸ Note: If there is any additional CSRF token/referrer check
at place this attack will not work