Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bad API, hAPI Hackers!

JR0ch17
January 19, 2019

Bad API, hAPI Hackers!

My methodology on API bug hunting and pentesting.

JR0ch17

January 19, 2019
Tweet

More Decks by JR0ch17

Other Decks in Technology

Transcript

  1. Bad API, hAPI
    hackers!
    By Jasmin Landry
    @JR0ch17

    View full-size slide

  2. Methodology
    Where do I start?
    Create your own methodology
    1. Recon
    2. Look for “technical” bugs (RCE, SQLi, XXE, XSS, etc)
    3. Look for “logical” bugs (IDOR, Priv Esc, Info Leak, etc)
    Important to follow so you test everything possible

    View full-size slide

  3. $ cat
    black_box.txt

    View full-size slide

  4. $ cat
    white_box.txt

    View full-size slide

  5. $ cat
    info_gathering.
    txt

    View full-size slide

  6. $ cat
    info_gathering.
    txt | more
    Scanning with Burp often generates error messages
    1. Send the request to Intruder
    2. Add positions to scan
    3. Right click
    4. Select Scan defined insertion points

    View full-size slide

  7. $ cat
    technical_bugs.
    txt | grep RCE
    RCE can sometimes be achieved with:
    • SSTI
    • File upload?
    ({“fileName”:”test.png”, “fileContent”
    :”data:image/png;base64,…”)
    can also lead to XXE or Stored XSS

    View full-size slide

  8. $ cat
    technical_bugs.
    txt | grep XXE
    Some more file uploads

    XXE J

    View full-size slide

  9. $ cat
    technical_bugs.
    txt | grep SQLi

    View full-size slide

  10. $ cat
    technical_bugs.
    txt | grep SQLi
    | more
    CVE-2014-6577

    View full-size slide

  11. $ cat
    logical_bugs.txt
    | grep IDOR

    View full-size slide

  12. $ cat
    logical_bugs.txt
    | grep IDOR |
    more
    GET /api/something/name/somethingelse/customer/profile/:anotherid?profileT
    ype=Something HTTP/1.1

    View full-size slide

  13. $ cat
    logical_bugs.txt
    | grep ”Priv
    Esc”

    View full-size slide

  14. $ cat
    logical_bugs.txt
    | grep ”Priv
    Esc”
    1. Identified an interesting endpoint that was documented in a .js file
    2. No Authorization header was needed
    3. Created the request
    4. Win!

    View full-size slide

  15. $ cat
    bug_chains.txt
    IDOR
    #1
    Info
    Leak #1
    Able to view other users’ email address
    IDOR
    #2
    Info
    Leak #2
    Using the email leaked in Info leak #1,
    I could get the profile’s UUID.
    GET
    GET
    IDOR
    #3 PUT
    Using the UUID leaked in Info Leak #2,
    I could change the profile’s email address
    Password
    Reset
    • Text Message to phone number L
    • Send email verification link (boring)
    • Answer security question
    ATO
    POST

    View full-size slide

  16. $ cat
    bug_chains.txt |
    more ID from IDOR #1

    View full-size slide

  17. $ cat
    thank_you.txt
    @JR0ch17

    View full-size slide