Bad API, hAPI hackers! By Jasmin Landry @JR0ch17 

$ whoami 

$ crontab 

Methodology Where do I start? Create your own methodology 1. Recon 2. Look for “technical” bugs (RCE, SQLi, XXE, XSS, etc) 3. Look for “logical” bugs (IDOR, Priv Esc, Info Leak, etc) Important to follow so you test everything possible 

$ cat black_box.txt 

$ cat white_box.txt 

$ cat info_gathering. txt 

$ cat info_gathering. txt | more Scanning with Burp often generates error messages 1. Send the request to Intruder 2. Add positions to scan 3. Right click 4. Select Scan defined insertion points 

$ cat technical_bugs. txt | grep RCE RCE can sometimes be achieved with: • SSTI • File upload? ({“fileName”:”test.png”, “fileContent” :”data:image/png;base64,…”) can also lead to XXE or Stored XSS 

$ cat technical_bugs. txt | grep XXE Some more file uploads … XXE J 

$ cat technical_bugs. txt | grep SQLi 

$ cat technical_bugs. txt | grep SQLi | more CVE-2014-6577 

$ cat logical_bugs.txt | grep IDOR 

$ cat logical_bugs.txt | grep IDOR | more GET /api/something/name/somethingelse/customer/profile/:anotherid?profileT ype=Something HTTP/1.1 

$ cat logical_bugs.txt | grep ”Priv Esc” 

$ cat logical_bugs.txt | grep ”Priv Esc” 1. Identified an interesting endpoint that was documented in a .js file 2. No Authorization header was needed 3. Created the request 4. Win! 

$ cat bug_chains.txt IDOR #1 Info Leak #1 Able to view other users’ email address IDOR #2 Info Leak #2 Using the email leaked in Info leak #1, I could get the profile’s UUID. GET GET IDOR #3 PUT Using the UUID leaked in Info Leak #2, I could change the profile’s email address Password Reset • Text Message to phone number L • Send email verification link (boring) • Answer security question ATO POST 

$ cat bug_chains.txt | more ID from IDOR #1 

$ cat thank_you.txt @JR0ch17