API vulnerabilities

Hello Folks,
All web applications use an Application Programming Interface (API) which is also vulnerable if exploited by an attacker. So as a penetration tester, we should know how to identify and exploit these API-related vulnerabilities. In this blog, we will understand the complete process which starts from identifying API endpoints, supported HTTP methods, and content types.
We will be exploring this vulnerability using PortSwigger’s lab. So without any more delays, let’s first understand what APIs are and begin the penetration testing process.
API is software that works as an intermediary and allows a website to access and share data from different systems across multiple organizations. It is important to secure these APIs as they carry data.
Now, we know about APIs and their importance, so we have to protect them from intruders. To understand the complete API penetration testing process, we will explore a PortSwigger lab. If you want to learn how to exploit API endpoints using documentation, then you can check out our previous blog.

Finding and exploiting an unused API endpoint

Let’s start by reading the lab description where we have to identify and exploit a hidden API endpoint to buy a product without spending any money. For this, we are provided with a credential pair. This lab can be easily solved using the Burp Suite Community edition.
After accessing the target website, we have to first log in with the credential pair as wiener user. To identify API endpoints, we have to interact with a web application to explore all the endpoints. We have many products on the home page, but our target is “Lightweight l33t Leather Jacket”. So, let’s click on it. We can see that the price of this product is $1337 and we have $0.0 in our balance, so we have to find an API endpoint that might help us here.
Let’s switch to Burp Suite and under the HTTP History tab, we will find a GET request to the /api/products/1/price endpoint. So we got our API endpoint and have to test it for which we need to take this request to Repeater. On Repeater, we can make some changes in the request, so let’s try to see which HTTP methods are supported by the server. We can simply confirm the same by replacing the GET with OPTIONS in the API request. After receiving the response for this request, we can see that only GET and PATCH methods are allowed.

Let’s change the GET method to PATCH and send the API request. We will get a response that says that the Content-Type header is missing and it should be application/json. So we have to add a Content-Type request header in the API PATCH request and set application/json as the value of the header. Also, as we added this header, so we have to add an empty JSON object {} in the body of the request. As we send this request, we will receive an error that says the price parameter is missing.
Let’s add a Price parameter in the request body and set the value of the price to 0 as follows:

{“price”:0}

Let’s send the request. We will find 200 responses. Let’s go to the browser and refresh the page. We will find that the product’s price has been changed to $0.00. So we have successfully exploited the API vulnerability and changed the price of “Lightweight l33t Leather Jacket”.

Now to solve the lab we have to add this product to our basket and then click on the “Place order” button to purchase the product without paying any cost. Hence the lab is solved.
In this blog post, we have covered the concepts of API and the vulnerability related to an insecure unused API endpoint. You guys can explore our other PortSwigger blogs available on CyberiumX.

Happy Pentesting!
Team CyberiumX

Hello Folks,
This blog will focus on API Testing where we will learn about APIs and their vulnerabilities using PortSwigger platform. All website consists of the API and it is very important to make them secure. In this blog post, we will explore the vulnerabilities using API documentation. Let’s understand about API in detail and then we will move forward and begin the penetration testing process to secure APIs.
API stands for Application Programming Interface which helps a website to communicate with different systems for sharing and accessing data. Using these APIs, the website receives the data from software systems or applications.
It is important to secure these APIs but firstly we have to find the API endpoint which is normally available at /api. Let’s understand it with the help of an example. Suppose we are making a GET request to /api/movie endpoint to fetch information related to all the movies. There can be other API endpoints available like /api/movie/horror, /api/movie/action, etc. to retrieve information related to horror and action movies respectively.
After identifying the endpoints, we can now send requests to them using various HTTP methods like GET, POST, PUT, DELETE, etc. Some API processes the input data provided by the user using different parameters. So, it is important to have information related to HTTP methods and their input parameters.
Now, the next important way to learn about the APIs is to look for documentation. These documents help the developer to work with the API. To discover these documents on the website using API, we can use the Burp Scanner or directory bursting techniques. If we have identified an endpoint like /api/movie/horror, it is always recommended to check all the paths like /api/movie, /api, etc. Also, we can use the Burp Intruder to brute-force the web pages using a wordlist of various API endpoints.
After getting a basic understanding of APIs let’s now try to find these API endpoints and exploit them using their documentation. We will be using PortSwigger’s lab to see the same in action.

Exploiting an API endpoint using documentation

Let’s read the lab description where we are provided with our credentials. We must identify the exposed API documentation and delete a user from the application. We will require the Burp Suite Community edition to solve the lab.
After accessing the target web application, we are required to log in as wiener user using our credentials on the /login page. Once we are logged in as wiener, we will find an email change functionality on our profile. Let’s change our email address to an arbitrary email. On Burp Suite, under HTTP history we will find a PATCH request towards /api/user/wiener which we need to select and send to Repeater. On Repeater, remove the username (wiener) from the endpoint and send the request. We will find an error as the username is not mentioned. Let’s now send a GET request to the /api endpoint and we will notice a response with the API documentation. We can click on the Render tab under the Response section to check the response. We will find other APIs which can perform various tasks.

To solve the lab, we have to delete a user from the application. We can see a DELETE HTTP method is available for the /api/user/<username> endpoint which might delete our target user. This functionality is interactive if we open the same on our browser by right-clicking on the request and selecting “Show response in browser”. Copy and paste the URL on the browser to access the same functionality. We can simply click on the DELETE row and enter the username as carlos to delete the user.
Also, we can use Burp Suite to do the same. We have to make some changes to the available request at Repeater. We have to change the HTTP method to DELETE and send the request to /api/user/carlos. As we click on the “Send” button to send the request to the web server, we will find that the user is successfully deleted from the application.

So this is how we can identify the API documentation and use it to exploit API-related vulnerabilities. Hence the lab is solved.

In this blog post, we have covered the basics of API and the vulnerability related to API documentation. You guys can explore our other PortSwigger blogs available on CyberiumX.

Happy Pentesting!
Team CyberiumX

Tag: API vulnerabilities

PortSwigger- Finding And Exploiting An Unused API Endpoint

Finding and exploiting an unused API endpoint