Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/inonshk/31-days-of-API-Security-Tips
This challenge is Inon Shkedy's 31 days API Security Tips.
https://github.com/inonshk/31-days-of-API-Security-Tips
api-pentest api-security bug-bounty bugbounty bugbountytips infosec pentest security
Last synced: about 2 months ago
JSON representation
This challenge is Inon Shkedy's 31 days API Security Tips.
- Host: GitHub
- URL: https://github.com/inonshk/31-days-of-API-Security-Tips
- Owner: inonshk
- Created: 2020-02-01T11:03:00.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2022-04-20T07:58:47.000Z (over 2 years ago)
- Last Synced: 2024-05-19T19:20:00.229Z (7 months ago)
- Topics: api-pentest, api-security, bug-bounty, bugbounty, bugbountytips, infosec, pentest, security
- Size: 19.5 KB
- Stars: 2,066
- Watchers: 62
- Forks: 327
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - inonshk/31-days-of-API-Security-Tips - This challenge is Inon Shkedy's 31 days API Security Tips. (Others)
- stars - 31-days-of-API-Security-Tips
- stars - 31-days-of-API-Security-Tips
README
# 31-days-of-API-Security-Tips
### This challenge is Inon Shkedy's 31 days API Security Tips
#### -API TIP: 1/31-
*Older APIs versions tend to be more vulnerable and they lack security mechanisms.
Leverage the predictable nature of REST APIs to find old versions.
Saw a call to `api/v3/login`? Check if `api/v1/login` exists as well. It might be more vulnerable.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 2/31-
*Never assume there’s only one way to authenticate to an API!
Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc..
Find and test all of them for AuthN problems.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:3/31-
*Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company?
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.*
> Learn more about BOLA : [https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2](https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 4/31-
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL?
Developers sometimes use "Kernel#open" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)
> Learn more about the open function: [https://apidock.com/ruby/Kernel/open](https://apidock.com/ruby/Kernel/open)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:5/31-
*Found SSRF? use it for:*
* Internal port scanning
* Leverage cloud services(like 169.254.169.254)
* Use http://webhook.site to reveal IP Address & HTTP Library
* Download a very large file (Layer 7 DoS)
* Reflective SSRF? disclose local mgmt consoles
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 6/31-
*Mass Assignment is a real thing.
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.*
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP: 7/31 -
*A company exposes an API for developers?
This is not the same API which is used by mobile / web application. Always test them separately.
Don't assume they implement the same security mechanisms.*
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP: 8/31 -
Pentest for REST API? Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.
> Sometimes the authentication is done in a different component that is shared between REST & SOAP APIs == SOAP API may support JWT
> If the API returns stack trace with a DUMPling, it's probably vulnerable**
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP: 9/31 -
*Pentest for APIs? Trying to find BOLA (IDOR) vulnerabilities? IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 10/31-
*Exploiting BFLA (Broken Function Level Authorization)?
Leverage the predictable nature of REST to find admin API endpoints!
E.g: you saw the following API call `GET /api/v1/users/`
Give it a chance and change to `DELETE / POST to create/delete users.`*
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP: 11/31 -
*The API uses Authorization header? Forget about CSRF!
If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP : 12/31-
*Testing for BOLA (IDOR)?
Even if the ID is GUID or non-numeric, try to send a numeric value.
For example: `/?user_id=111` instead of `[email protected]`
Sometimes the AuthZ mechanism supports both and it's easier the brute force numbers.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 13/31-
*Use Mass Assignment to bypass security mechanisms.
E.g., "enter password" mechanism:
- `POST /api/reset_pass` requires old password.
- `PUT /api/update_user` is vulnerable to MA == can be used to update pass without sending the old one (For CSRF)*
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP: 14/31 -
*Got stuck during an API pentest? Expand your attack surface! Find sub/sibling domains using http://Virustotal.com & http://Censys.io.
Some of these domains might expose the same APIs with different configurations/versions.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:15/31-
*Static resource==photo,video,..
Web Servers(IIS, Apache) treat static resources differently when it comes to authorization.
Even if developers implemented decent authorization, there's a good chance you can access static resources of other users.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 16/31-
Even if you use another web proxy, always use Burp in the background.
The guys at @PortSwigger
are doing a really good job at helping you manage your pentest.
Use the “tree view” (free version) feature to see all API endpoints you’ve accessed.
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:17/31-
*Mobile Certificate Pinning?
Before you start reverse engineering & patching the client app, check for both iOS & Android clients and older versions of them.
There's a decent chance that the pinning isn't enabled in one of them. Save time.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 18/31-
*Companies & developers tend to put more resources (including security) into the main APIs.
Always look for the most niche features that nobody uses to find interesting vulnerabilities.
`POST /api/profile/upload_christmas_voice_greeting`*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:19/31-
*Which features do you find tend to be more vulnerable?*
*I'll start:*
* Organization's user management
* Export to CSV/HTML/PDF
* Custom views of dashboards
* Sub user creation&management
* Object sharing (photos, posts,etc)
--------------------------------------------------------------------------------------------------------------------------
#### - API TIP:20/31-
*Testing AuthN APIs?
If you test in production, there's a good chance that AuthN endpoints have anti brute-force protection.
Anyhow, DevOps engineers tend to disable rate limiting in non-production environments. Don't forget to test them :)*
> A good example of this issue: Facebook Breach (Found by @sehacure) [http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html](http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:21/30-
*Got stuck during an API pentest? Expand the attack surface!
Use http://archive.com, find old versions of the web-app and explore new API endpoints.
Can't use the client? scan the .js files for URLs. Some of them are API endpoints.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:22/31-
*APIs tend to leak PII by design.
BE engineers return raw JSON objects and rely on FE engineers to filter out sensitive data.
Found a sensitive resource (e.g, `receipt`)? Find all the EPs that return it: `/download_receipt`,`/export_receipt`, etc..*
> Some of the endpoints might leak excessive data that should not be accessible by the user.
> This is an example for OWASP Top 10 For APIs - #3 - Excessive Data Exposure
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:23/31-
*Found a way to download arbitrary files from a web server?
Shift the test from black-box to white-box.
Download the source code of the app (DLL files: use IL-spy; Compiled Java - use Luyten)
Read the code and find new issues!*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:24/31-
*Got stuck during an API pentest? Expand your attack surface!
Remember: developers often disable security mechanisms in non-production environments (qa/staging/etc);
Leverage this fact to bypass AuthZ, AuthN, rate limiting & input validation.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:25/31-
*Found an "export to PDF" feature?
There's a good chance the developers use an external library to convert HTML --> PDF behind the scenes.
Try to inject HTML elements and cause "Export Injection".*
> Learn more about Export Injection: [https://medium.com/@inonst/export-injection-2eebc4f17117](https://medium.com/@inonst/export-injection-2eebc4f17117)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:26/31-
*Looking for BOLA (IDOR) in APIs? got 401/403 errors?
AuthZ bypass tricks:*
* Wrap ID with an array` {“id”:111}` --> `{“id”:[111]}`
* JSON wrap `{“id”:111}` --> `{“id”:{“id”:111}}`
* Send ID twice `URL?id=&id=`
* Send wildcard `{"user_id":"*"}`
> In some cases, the AuthZ mechanism expects a plain string (an ID in this case), and if it receives a JSON instead it won't perform the AuthZ checks. Then, when the input goes to the data fetching component, it might be okay with a JSON instead of string(e.g: it flattens the JSON)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:27/31-
*BE Servers no longer responsible for protecting against XSS.
APIs don't return HTML, but JSON instead.
If API returns XSS payload? -
E.g: `{"name":"Inalert(21)on}`
That's fine! The protection always needs to be on the client side*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:28/31-
*Pentest for .NET apps? Found a param containing file path/name? Developers sometimes use "Path.Combine(path_1,path_2)" to create full path. Path.Combine has weird behavior: if param#2 is absolute path, then param#1 is ignored.*
##### Leverage it to control the path
> Learn more: [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:29/30-
*APIs expose the underlying implementation of the app.
Pentesters should leverage this fact to better understand users, roles, resources & correlations between them and find cool vulnerabilities & exploits.
Always be curious about the API responses.*
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP:30/31-
*Got stuck during an API pentest? Expand your attack surface!
If the API has mobile clients, download old versions of the APK file to explore old/legacy functionality and discover new API endpoints.*
> Remember: companies don’t always implement security mechanisms from day one && DevOps engineers don’t often deprecate old APIs. Leverage these facts to find shadow API endpoints that don’t implement security mechanism (authorization, input filtering & rate limiting)
> Download old APK versions of android apps: [https://apkpure.com](https://apkpure.com)
--------------------------------------------------------------------------------------------------------------------------
#### -API TIP: 31/31-
*Found a `limit` / `page` param? (e.g: `/api/news?limit=100`) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: `limit=999999999`) and see what happens :)*
--------------------------------------------------------------------------------------------------------------------------
## Source
#### All of this information is taken from twitter of Inon Shkedy
##### Links:
* [Inon Shkedy](https://twitter.com/inonshkedy)
* [Traceableai](https://twitter.com/traceableai/)
* [OWASP API PROJECT](https://github.com/OWASP/API-Security)