Bad API, hAPI Hackers!

92465b02610a5983cde8f78dc7ddd1e4?s=47 JR0ch17
January 19, 2019

Bad API, hAPI Hackers!

My methodology on API bug hunting and pentesting.

92465b02610a5983cde8f78dc7ddd1e4?s=128

JR0ch17

January 19, 2019
Tweet

Transcript

  1. Bad API, hAPI hackers! By Jasmin Landry @JR0ch17

  2. $ whoami

  3. $ crontab

  4. Methodology Where do I start? Create your own methodology 1.

    Recon 2. Look for “technical” bugs (RCE, SQLi, XXE, XSS, etc) 3. Look for “logical” bugs (IDOR, Priv Esc, Info Leak, etc) Important to follow so you test everything possible
  5. $ cat black_box.txt

  6. $ cat white_box.txt

  7. $ cat info_gathering. txt

  8. $ cat info_gathering. txt | more Scanning with Burp often

    generates error messages 1. Send the request to Intruder 2. Add positions to scan 3. Right click 4. Select Scan defined insertion points
  9. $ cat technical_bugs. txt | grep RCE RCE can sometimes

    be achieved with: • SSTI • File upload? ({“fileName”:”test.png”, “fileContent” :”data:image/png;base64,…”) can also lead to XXE or Stored XSS
  10. $ cat technical_bugs. txt | grep XXE Some more file

    uploads … XXE J
  11. $ cat technical_bugs. txt | grep SQLi

  12. $ cat technical_bugs. txt | grep SQLi | more CVE-2014-6577

  13. $ cat logical_bugs.txt | grep IDOR

  14. $ cat logical_bugs.txt | grep IDOR | more GET /api/something/name/somethingelse/customer/profile/:anotherid?profileT

    ype=Something HTTP/1.1
  15. $ cat logical_bugs.txt | grep ”Priv Esc”

  16. $ cat logical_bugs.txt | grep ”Priv Esc” 1. Identified an

    interesting endpoint that was documented in a .js file 2. No Authorization header was needed 3. Created the request 4. Win!
  17. $ cat bug_chains.txt IDOR #1 Info Leak #1 Able to

    view other users’ email address IDOR #2 Info Leak #2 Using the email leaked in Info leak #1, I could get the profile’s UUID. GET GET IDOR #3 PUT Using the UUID leaked in Info Leak #2, I could change the profile’s email address Password Reset • Text Message to phone number L • Send email verification link (boring) • Answer security question ATO POST
  18. $ cat bug_chains.txt | more ID from IDOR #1

  19. $ cat thank_you.txt @JR0ch17