Pentesting APIs E-Book

Pentesting APIs

A practical guide to discovering, fingerprinting, and exploiting APIs

Maurício Harley

Pentesting APIs

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv Jagdish Kataria

Publishing Product Manager: Prachi Sawant

Book Project Manager: Srinidhi Ram

Senior Editor: Apramit Bhattacharya and Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Proofreader: Apramit Bhattacharya

Indexer: Pratik Shirodkar

Production Designer: Aparna Bhagat

DevRel Marketing Coordinator: Marylou De Mello

First published: September 2024

Production reference: 1210824

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83763-316-6

www.packtpub.com

My special dedication goes to my uncle Maurício, whose name was given to me by my father (his brother) as a tribute to him. Rest in peace, dear uncle.

This book has been a dream for several years. Its publication aligns with my 30th professional anniversary. My father’s father wrote six books, and my father wrote two. I wanted to continue this family habit, constantly feeling a writer’s blood running in my veins. It seems we have a lineage of writers in the family. May God bless us all!

I’d like to thank my loving wife, Paula, for all her support and motivational words during this massive journey. I would like to also thank my parents, Bartolomeu and Leuzete, for their endless efforts to provide me with formal and informal education, showing me the path to becoming a decent person. I could not have achieved this without you both. I cannot forget thanking my siblings, Robson, for his joy and infinite smiles, and Raquel, for her inspirational writer spirit. She is known in our family for her creative texts.

I must thank all my friends for their partnership and loyalty.

I also want to thank the whole Packt team for all the support, gentle words, and continuous contact while I was writing this book: Neil D’mello, Srinidhi Ram, Romy Dias, Apramit Bhattacharya, and Prachi Sawant. You guys rock!

Finally, I would like to thank the previous owners of a company I worked for, Auriga Informática e Serviços Ltda: Mário, Valdemar, Ariceu, and Raniere. They quickly realized my potential and gave me all the support that I needed to conquer important technical certifications and achieve substantial progress in my career.

– Maurício Harley

Contributors

About the author

Maurício Harley holds an MSc in cybersecurity, a Bachelor of Science in electrical engineering, and a technologist degree in telematics. He’s CISSP and double CCIE certified.

He has written offensive security articles for some magazines. He has 30 years of combined experience in areas such as application security and forensic analysis. He has delivered security talks at Brazilian, European, and Latin American events, such as RootDay, RootSec, AWS LATAM Security Talks, AWS Security Workshops, EMEA AeroSpace Smart Factory, and OWASP LATAM@Home.

He has participated in various security projects in Latin America and Europe, Middle East, and Africa (EMEA), delivering professional services in Angola, Austria, Bahrain, Brazil, Finland, France, Germany, Netherlands, Spain, South Africa, and the United Kingdom.

About the reviewer

Diego Pereyra has over 15 years of experience in IT and cybersecurity. He has served as a cybersecurity analyst in a security operations center, where he implemented and developed cybersecurity tools and frameworks for major companies in Argentina. Additionally, Diego has experience as a senior pentester, during which he led and participated in projects involving web, PWAs, APIs, and mobile pentesting, as well as vulnerability assessments.

He is currently a member of a Red Team at a prominent financial fintech in Latin America, specializing in mobile and API pentesting. Diego prioritizes cybersecurity due to the rapidly evolving nature of threats in today’s world.

I am thankful to my family for their support and for tolerating my busy schedule while still standing by my side. I truly believe that working in this field would not be possible without the cybersecurity communities. Thank you to all who make this field an exciting place to work every day.

Table of Contents

Preface

Part 1: Introduction to API Security

1

Understanding APIs and their Security Landscape

What is an API?

A brief history of APIs

API types and protocols

SOAP

REST

gRPC

JSON-RPC

GraphQL

Importance of API security

Common API vulnerabilities

Summary

Further reading

2

Setting Up the Penetration Testing Environment

Technical requirements

Selecting tools and frameworks

Building a testing lab

Installing Docker

Installing OWASP Software

Installing Burp Suite

Installing Postman and Wireshark

Installing other tools

Configuring testing environments

Summary

Further reading

Part 2: API Information Gathering and AuthN/AuthZ Testing

3

API Reconnaissance and Information Gathering

Technical requirements

Identifying and enumerating APIs

Analyzing WebGoat

Looking at crAPI

Analyzing API documentation and endpoints

Leveraging OSINT

Identifying data and schema structures

Summary

Further reading

4

Authentication and Authorization Testing

Technical requirements

Examining authentication mechanisms

API keys

Basic authentication

OAuth

Session tokens

JSON Web Tokens (JWTs)

Testing for weak credentials and default accounts

Brute-force attacks

Common credentials and default accounts

Exploring authorization mechanisms

Role-based access control

Attribute-based access control

OAuth scopes

Bypassing access controls

Broken Object Level Authorization (BOLA)

Broken Function Level Authorization (BFLA)

Summary

Further reading

Part 3: API Basic Attacks

5

Injection Attacks and Validation Testing

Technical requirements

Understanding injection vulnerabilities

Testing for SQL injection

Classic SQL injection

Stacked SQL injection

Union SQL injection

Hidden union SQL injection

Boolean SQL injection

Exploiting SQL injection on a vulnerable API

Testing for NoSQL injection

Syntax injection

Object injection

Operator injection

Exploiting NoSQL injection on crAPI

Validating and sanitizing user input

Input validation for user registration

Sanitizing query parameters

Validating file uploads

Input validation for numeric input

Sanitizing HTML input to prevent XSS attacks

Summary

Further reading

6

Error Handling and Exception Testing

Technical requirements

Identifying error codes and messages

Fuzzing for exception handling vulnerabilities

Leveraging error responses for information disclosure

Summary

Further reading

7

Denial of Service and Rate-Limiting Testing

Technical requirements

Testing for DoS vulnerabilities

Getting to know Mockoon

Interacting with Mockoon’s endpoints

Leveraging Scapy to attack Mockoon

Mockoon with hping3 – initial tests

Sending random data with hping3

Sending fragmented packets with hping3

Flooding Mockoon with hping3 packets

Making the attack more interesting – the “fast” switch

Identifying rate-limiting mechanisms

Fixed window counters

Rolling window logs

Leaky buckets

A rate-limiting detection lab

Circumventing rate limitations

Summary

Further reading

Part 4: API Advanced Topics

8

Data Exposure and Sensitive Information Leakage

Technical requirements

Identifying sensitive data exposure

Elasticsearch and more

ripgrep

Testing for information leakage

Preventing data leakage

Summary

Further reading

9

API Abuse and Business Logic Testing

Technical requirements

Understanding business logic vulnerabilities

Exploring API abuse scenarios

Credential stuffing

Data scraping

Parameter tampering

Testing for business logic vulnerabilities

Summary

Further reading

Part 5: API Security Best Practices

10

Secure Coding Practices for APIs

Technical requirements

The importance of secure coding practices

Implementing secure authentication mechanisms

Validating and sanitizing user input

Implementing proper error handling and exception management

Best practices for data protection and encryption

Summary

Further reading

Index

Other Books You May Enjoy

Preface

Welcome to Pentesting APIs! Application Programming Interfaces (APIs) are pervasive in the modern world we live in. It’s practically impossible to use a web, embedded, or mobile application without interacting with its API. Understanding its weaknesses is fundamental for a well-done invasion test. That’s what this book is all about.

You will learn various aspects of APIs, beginning with a quick introduction to them and their history, going through basic and advanced attacks, exploring different code excerpts and techniques, and finishing with security recommendations on how to block or avoid such attacks. Hence, this book is divided into the following main sections:

I will guide you through all the steps that are necessary to exercise professional pentesting against API targets. This is based on the following:

Recent news highlights the growing importance of API security. In late 2022, a major social media platform suffered a data breach due to vulnerabilities in its API, exposing millions of user records. Similarly, in early 2023, a financial services company faced a significant security incident where hackers exploited API flaws to siphon off sensitive customer data. These incidents underscore the critical need for rigorous API pentesting to identify and mitigate vulnerabilities before they can be exploited by malicious actors.

By comprehensively understanding and addressing API security, organizations can significantly enhance their defense against potential cyber threats. You are about to begin this fascinating journey.

Who this book is for

Although pentesting APIs can be useful to junior and novice enthusiasts, it will be especially valuable to medium-level to experienced penetration testers, since you will preferably have a good foundation on cybersecurity concepts such as enumeration, discovery, and pentesting. Some knowledge about higher-level programming languages, such as Python and Golang, is also advised.

With that being said, this book is for security engineers, analysts, application owners, developers, pentesters, and all enthusiasts who want to learn a bit more about APIs and successful ways of testing their robustness.

What this book covers

Chapter 1, Understanding APIs and their Security Landscape, introduces you to APIs, their components, the role they play in contemporary applications, and how users commonly interact with them. Understanding the landscape of APIs will enable you to envisage the potential attack vectors.

Chapter 2, Setting Up the Penetration Testing Environment, guides you toward the preparations and setup of the various pentest lab components. Some important decisions need to be made, such as the selection of tools and frameworks along with the development environment and some initial tests. If you are new to the pentesting arena, you will have the chance to get to know some relevant terminology and important software.

Chapter 3, API Reconnaissance and Information Gathering, is the first chapter where you will start to play with APIs. Before effectively attacking an API endpoint, it is paramount to enumerate and recognize what is available. Some penetration tests are completely black boxes, meaning you will have absolutely no knowledge about what is running on the API’s side.

Chapter 4, Authentication and Authorization Testing, covers aspects related to Authentication (AuthN) and Authorization (AuthZ) on applications, focusing on the ways APIs work with this. Then, after learning how apps control the access of their users, it is time for you to understand how they can be explored and eventually bypassed.

Chapter 5, Injection Attacks and Validation Testing, teaches you how to test APIs against both SQL and NoSQL injections, and how such types of attacks could be mostly avoided by correctly validating user input.

Chapter 6, Error Handling and Exception Testing, explains that applications do not always run as they were designed by their creators. Some unexpected behavior might occur either caused by the users themselves or by some internal error. You will learn how bad exception and error handling might bring to light valuable information as well as open exploitable breaches.

Chapter 7, Denial of Service and Rate-Limiting Testing, discusses pentesting by Denial of Service (DoS) and its “distributed” variation. These are some of the biggest attacks carried out on the internet. You will understand how to test targets with DoS and identify rate-limiting mechanisms, as well as how to circumvent them.

Chapter 8, Data Exposure and Sensitive Information Leakage, introduced you to one of the most dangerous threats to APIs, according to OWASP’s Top 10 API. You will learn how to identify data exposure and leakage and leverage them to take advantage of their penetration tests against APIs.

Chapter 9, API Abuse and Business Logic Testing, explains that knowing the logic behind API implementations can be quite useful for abusing them. You will learn that there are some strategies to leverage them for pentesting as well as approaches to avoid falling victim to such threats.

Chapter 10, Secure Coding Practices for APIs, discusses topics that every software developer, whether or not they are creating an API, should be aware of. You will learn about established secure coding approaches and standards, as well as some advice on how to avoid many of the attacks discussed in the book.

To get the most out of this book

You will have to know how to work with virtual machines, preferably using Linux guests.

Software/hardware covered in the book

Operating system requirements

VirtualBox

Linux

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Pentesting-APIs. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Inside the header, some attributes can be declared, such as env:role, env:mustUnderstand, and env:relay.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select Next and you’ll be asked in which directory you’d like it to be installed. “

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Pentesting APIs, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-83763-316-6

Part 1: Introduction to API Security

In this part, you will be introduced to the world of APIs, learn their history, get acquainted with some types of APIs, and understand the importance of protecting APIs. You will also learn about some common vulnerabilities that might affect them. Finally, you will be taught how to prepare your pentesting lab environment, with tips on tools and access to the book’s code repository.

This section contains the following chapters: