Guide: 📋 How to Hack API in 60 minutes or API Threats Simulation with Open-Source Tools

API for different folks look really different

  • Framework: A unified way of how to operate things
  • Specification: It is swagger-based in terms of REST or open API like circuit version 3 technically or a different schema for GraphQL or protobuf or descriptions for geo pc.
  • No HTML markup anymore, just data and business logic: 10 years ago, it was impossible to split data and markup and everything was always together at that time. But these days, back-end developers technically put a border between clients whether from the mobile app or browser javascript their single page application or business to business integration, basically custom integration.
  • Unified back-ends for mobile, web, integrations
  • Specification meets production: should this endpoint return 502 that often? All the things should be mitigated.
  • Scaling: which microservice and how should I scale to solve 504 on this endpoint? Whether REST API info GraphQL or whatever orientation.
  • New protocols: All my tools like firewalls and scanners doesn’t work!
  • East-west security: They are talking to each other inside my network?!
  • New compliance

What’s the difference between Attack Simulation and Fuzzing?

Open Source API Security Tools

They can be split into 3 different types:

Summary of API security test tools

How to Fuzz

  1. Methods scrapping (/user/debug, SET / HTTP/1.1, etc)

Benefits of Fuzz Testing

  • Fluff testing further develops programming Security Testing.
  • Bugs found in fluffing are once in a while serious and more often than not utilized by programmers including crashes, memory spill, unhandled exemption, and so forth
  • On the off chance that any of the bugs neglect to get seen by the analyzers because of the limit of time and assets those bugs are additionally found in Fuzz testing.

Faults of Fuzz Testing

  • Fluff testing alone can’t give a total image of a general security danger or bugs.
  • Fluff testing is less powerful for managing security dangers that don’t cause program crashes, for example, some infections, worms, Trojan, and so forth
  • Fluff testing can recognize just basic deficiencies or dangers.
  • To perform successfully, it will require critical time.
  • Defining a limit esteem condition with irregular sources of info is extremely risky yet presently utilizing deterministic calculations dependent on clients inputs the vast majority of the analyzers take care of this issue.

Fuzzing optimizations for lists

  • Machine learning (everything you can from HMM to RNN)
  • Linguistic patterns (verbs and nouns)
  • Templates (RegExp, syllable)

API Fuzzer Examples

?ref=http://aaa/%00aaaaaaaaaaaaaaaaaaa aa
{"method":"test%26method%3ddeleteUser"}
SSRF inside the URL string to the backend API
727 call('/api/?method='+$data) …
GET /api/?method=test&method=deleteUser
HOST internal.api.host
<Image><![CDATA[http://test.com\n
rm -rf / ;]]</Image>
GET / HTTP/1.1
COOKIE: sessionid=a8cf5d724a7f56e490cab37%0a
%0aset+key+0+1+3600+10%0a1234567890%0a
SET /user/data HTTP/1.1
Host: api.test.com
POST /endpoint/env HTTP/1.1
POST /user/login HTTP/1.1
HOST: api.somethings.com
{"token":true, ...}
{"token":{} [] ...
PUT /api/v1/user HTTP/1.1
Content-Type: application/JSON
PUT /api/v1/user HTTP/1.1
Content-Type: application/xml

HTTP non-CRUD methods, CRUD aliases and WebDAVish things

  • SET
  • REMOVE (instead of DELETE, I don’t know why)
  • DEBUG
  • TRACK
  • FORWARD
  • MOVE
  • INFO

Hackers points of view on API requests

GET /user/7456438/add HTTP/1.1
HTTP/1.1

Analysing the results

  • No 5xx errors
  • No 1+ms response

API simulation best practices

API Attacks Simulation using Open Source GoTestWAF tool

./testcase →
testcase →
testset (yaml file) →
[ [payload], [encoder], [placeholder] ]
  • Payload
  • Encoder
  • Placeholder

Webinar — “Workshop — API Threat Simulations with open-source tools”

Resume

--

--

--

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security Lifecycle Management with UNiD

How To Accept Cryptocurrency On Your Website With ForgingBlock Payment Gateway

How White Hat Hackers Help Dashlane Be More Secure | Dashlane Blog

Try to Remove “Windows Security Alert” Pop-up? Read This Post

BitTorrent File System(BTFS) V2.1.1 Mainnet-Tesla is now live

Top 10 Winners of BTFS Storage Space Mining Competition on July 28

OverTheWire: Bandit Level 22

So you’ve pushed your AWS credentials on GitHub…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

More from Medium

Setting up a Reverse SSH tunnel

Installing pfSense on ESXi

Successfully installed VM, ready to install pfSense

Information Gathering — First Step towards Website Hacking

Learn OSI Model the fun way