Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Pentesting Rest API's by :- Gaurang Bhatnagar

OWASP Delhi
OWASP Delhi

Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks

Related slideshows

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
1 of 38
Download to read offline
PENTESTING REST API’S ~ GAURANG BHATNAGAR
AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
API STANDARDS
REST API REST - Representation State Transfer Data is sent as JSON
FINGERPRINTING & DISCOVERING API
WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

Debug API: API Testing Tools DEBUGGING AND FUZZING
AUTOMATING TESTS: FUZZING FUZZAPI
AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
BYPASSING THE ALGORITHM HS256 RS256 None RS256 HS256 Two key pair One key
CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
JWT ATTACKS TESTBED https://pentesterlab.com/exercises/jwt
AUTHORIZATION ATTACKS ON API
HOW OAUTH WORKS?
OAUTH ATTACKS Access token leakage (Via Open Redirect)
OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
XML EXTERNAL ENTITY (XXE)
VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop

More Related Content

Pentesting Rest API's by :- Gaurang Bhatnagar

  • 1. PENTESTING REST API’S ~ GAURANG BHATNAGAR
  • 2. AGENDA ▸ Brief overview of API ▸ Fingerprinting & Discovering API ▸ Authentication attacks on API (JWT) ▸ Authorization attacks on API (OAuth) ▸ Bruteforce attacks on API ▸ Attacking Dev/Staging API ▸ Traditional attacks
  • 3. Security consultant at EY Web and Mobile security 
 Researcher Synack Red Team member Google’s top 50 (VRP) ABOUT ME
  • 4. API - BRIEF OVERVIEW API stands for Application Programmable Interface API is used to exchange data between endpoints
  • 6. REST API REST - Representation State Transfer Data is sent as JSON
  • 8. WHAT INFO YOU NEED TO KNOW? Where is the API endpoint(s)? How developer handle versioning? What is the programming language(s) used? How client authenticate to use the API?
  • 9. FINDING SAMPLE API CALLS (BLACK BOX APPROACH) Bruteforce Parameter names (Parameth) Analyse Javascript code (JS-scan or JSParser) Dissect mobile app and retrieve hardcoded URL
  • 10. DEBUGGING AND FUZZING Debug API: Using Proxy
 
 
 

  • 11. Debug API: API Testing Tools DEBUGGING AND FUZZING
  • 13. AUTHENTICATION ATTACKS ON API JWT (JSON Web Tokens) attacks
  • 15. CRACKING THE JWT SECRET Dictionary attack
 (https://github.com/Sjord/jwtcrack) Bruteforce attack
 (https://github.com/lmammino/jwt-cracker)
  • 16. JWT ATTACK MITIGATION Use random complicated key (JWT secret) Force algorithm in the backend Make token expiration (TTL,RTTL) short as possible Use HTTPS everywhere to avoid MITM/Replay attack.
  • 20. OAUTH ATTACKS Access token leakage (Via Open Redirect)
  • 21. OAUTH ATTACKS CSRF attack on OAUTH flow
 
 https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account- takeover/ Stealing Authentication code via XSS
 https://whitton.io/articles/uber-turning-self-xss-into-good-xss/
 References for further reading:
 https://sakurity.com/oauth
 https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/

  • 22. MITIGATIONS Always use SSL Use State parameter to protect against CSRF. Check your code for XSS vulnerabilities. One XSS code can ruin everything. Be up to date with protocol standards.
  • 23. BRUTE FORCE ATTACKS ON API Target:
 Authentication (form-data/basic/digest) Password reset tokens / 2FA Tokens (Authentication / Authorization) like JWT
 
 http://www.anandpraka.sh/2016/03/how-i-could-have-hacked- your-facebook.html

  • 24. MITIGATIONS Limit retries for every username Make authcode/tokens/reset codes expirations short as possible Don’t use easily bruteforce able codes (Ex. 4 digits auth code) Expire auth/reset codes after 1 time usage
  • 25. ATTACKING DEV/STAGING/OLD API Why we should target them?
 Still in development stage (Full of bugs) Deprecated but still works Internal security team rarely tests old/dev api endpoints Production measure disabled (Rate limit, Registration policy, etc.) Debug in most cases is turned ON
  • 26. 1. FINDING OLD API’S API versioning ▸ Explicit URL ▸ Accept headers ▸ Custom headers You can find it also in old documentation
  • 27. 2. FINDING DEV/STAGING API’S Subdomain Brute Forcing Public record and search engines Social Engineering
  • 28. ATTACK FLOW Find whether Old/Dev API is connecting to the same DB or server as the production Find weakness in the Old/Dev API Use this weakness to affect the production API https://hackerone.com/reports/157876
  • 29. MITIGATIONS Delete old API once became deprecated Protect your dev/staging API with authentication or IP restrictions Add dev/staging API to your security scope
  • 30. TRADITIONAL ATTACKS API can be vulnerable to: SQLi RCE XSS IDOR CSRF XXE and so on…
  • 31. IDOR (INSECURE DIRECT OBJECT REFERENCE) api.example.com/profile/UserId=123 Try changing to another valid UserId: api.example.com/profile/UserId=456
  • 32. BYPASSING IDOR VIA PARAMETER POLLUTION api.example.com/profile/UserId=123 Try changing to: api.example.com/profile/UserId=456&UserId=123
  • 33. CROSS SITE SCRIPTING (XSS) ▸ Content-type: text/html
  • 34. CROSS SITE REQUEST FORGERY (CSRF) CSRF via XHR request 
 (When there is no Content-Type validation in place) CSRF via flash and 307 redirect. 
 (When Content-Type is getting validated i.e application/ json) ▸ Note: If there is any additional CSRF token/referrer check at place this attack will not work
  • 38. VULNERABLE TEST BEDS ▸ https://github.com/snoopysecurity/dvws ▸ https://payatu.com/tiredful-api-vulnerable-rest-api-app/ ▸ https://github.com/rapid7/hackazon ▸ https://github.com/bkimminich/juice-shop