Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bad API, hAPI Hackers!

January 19, 2019

Bad API, hAPI Hackers!

My methodology on API bug hunting and pentesting.


January 19, 2019

More Decks by JR0ch17

Other Decks in Technology


  1. Methodology Where do I start? Create your own methodology 1.

    Recon 2. Look for “technical” bugs (RCE, SQLi, XXE, XSS, etc) 3. Look for “logical” bugs (IDOR, Priv Esc, Info Leak, etc) Important to follow so you test everything possible
  2. $ cat info_gathering. txt | more Scanning with Burp often

    generates error messages 1. Send the request to Intruder 2. Add positions to scan 3. Right click 4. Select Scan defined insertion points
  3. $ cat technical_bugs. txt | grep RCE RCE can sometimes

    be achieved with: • SSTI • File upload? ({“fileName”:”test.png”, “fileContent” :”data:image/png;base64,…”) can also lead to XXE or Stored XSS
  4. $ cat logical_bugs.txt | grep ”Priv Esc” 1. Identified an

    interesting endpoint that was documented in a .js file 2. No Authorization header was needed 3. Created the request 4. Win!
  5. $ cat bug_chains.txt IDOR #1 Info Leak #1 Able to

    view other users’ email address IDOR #2 Info Leak #2 Using the email leaked in Info leak #1, I could get the profile’s UUID. GET GET IDOR #3 PUT Using the UUID leaked in Info Leak #2, I could change the profile’s email address Password Reset • Text Message to phone number L • Send email verification link (boring) • Answer security question ATO POST