API Pentesting

My notes on API Pentesting

Recon

The first step is to find API endpoints on the target. You can use fuzzing for that, Burp Intruder or maybe do some manual enumeration. Endpoints like /api are very common and if available on the target, you should fuzz inside the api base path to look for more endpoints.

If available, try looking for documentation that explains the working of the API. If you find documentation, go through it properly and take note of every detail.

HTTP Methods

Most APIs (according to my experience) work with the GET method. There are APIs who take requests via the POST method too but there are other methods that can work too such as

• OPTIONS - Retrieves information on the types of request methods that can be used on a resource.

• PATCH - Applies partial changes to a resource.

• DELETE - Deletes something

Content Types

For example: Content-Type: application/json

This header specifies the format in which the API takes data from a request. You can alter the request body accordingly (based on the relevant Content-Type) and trigger errors to find useful information, bypass defenses and manipulate requests.

For example, in the PortSwigger Lab which has an intentionally vulnerable E-Commerce app, by manipulating the JSON request I was able to alter the price of a product and change it to zero after which I was able to add it to my cart and gradually place an order.

Hidden Parameters

You can find hidden parameters by using brute-forcing via wordlists or also by triggering errors which reveal the required parameters to build a valid request.

For example, below is a JSON body sent to an endpoint PATCH /api/users to update user information

{
    "username": "kavin",
    "email": "kavin@example.com",
}

Now there's a different endpoint GET /api/users/123 which returns the following JSON.

{
    "id":123,
    "username": "kavin",
    "email": "kavin@example.com",
    "isAdmin": "false"
}

This indicates that the hidden id and isAdmin parameters are bound to the internal user object, alongside the updated username and email parameters.

Now if we try using the isAdmin parameter to the patch request.

{
    "username": "kavin",
    "email": "kavin@example.com",
    "isAdmin": "true",
}

Now if there's no server-side sanitisation, then we will be able to gain administrator access using the above hidden parameter.

Mass Assignment variables

Mass assignment can create hidden parameters. It occurs when software frameworks automatically bind request parameters to fields on an internal object. Mass assignment may therefore result in the application supporting parameters that were never intended to be processed by the developer.