API Hacking 101
What are APIs?
Application Programming Interfaces (APIs) are a critical part of modern software. They allow different data sources and technologies to communicate with each other. For example, an app could integrate a weather API to display the local weather as a part of the app. These APIs communicate across companies, data sets, and more, leaving them vulnerable to many different security vulnerabilities. So how can we hack these APIs to find and patch vulnerabilities before bad actors?
Types of APIs
There are two main types of APIs used in apps: REST APIs and SOAP APIs.
REST APIs are lighter and more flexible. They are stateless, meaning that they don’t store any information. However, they are cacheable, meaning that previous calls can be retrieved. They are also layered, meaning that the API is segmented, so that different components of the API can’t interact with each other.
SOAP APIs build on REST APIs. They use stricter security standards, including the use of SSL encryption. They are less frequently used than REST APIs
API Hacking Techniques
So how do we hack these APIs? There’s many ways:
Broken Object Level Authorization: trying to get information about a customer, user, or other private object without proper access
Broken User Authentication: trying to get the API to not properly validate user authentication
Excessive Data Exposure: trying to get the API to return more than the required data
Lack of rate limiting: trying to get the API to return information infinitely, causing it to crash
Broken Function Level Authorization: trying to get the API to execute a different HTTP method than it was designed to for the task (ex: try a DELETE request instead of a POST request)
Mass Assignment: trying to edit properties of API parameters that the user should not be able to edit (ex: try to change an account wallet or a product title)
Injection: trying to use SQL injection, server side request forgery, or other injection methods to leak data from the API
Improper Assets Management: trying to use an outdated version of the API
Overall, API hacking is an extremely interesting area of ethical hacking that is often overlooked. I hope you learned more about API security.
If you want to learn more, check out the OWASP Top 10 API vulnerabilities at https://owasp.org/www-project-api-security/ and the APISec University at https://www.apisecuniversity.com/
Megan Howell (CyberQueenMeg) is a cybersecurity student at Grand Canyon University and an Offensive Security Intern at Cisco Systems. She is a bug bounty hunter, has been featured in Forbes Magazine for her work in AI Bias hunting, open source contributor to programs like BeeF and BlackArch Linux, former DefCon speaker, SkillsUSA Cybersecurity national competitor, National Cyber Scholar, and Cyber Patriot competitor. You can find her social media profiles at linktr.ee/cyberqueenmeg.
DISCLAIMER
The information presented above can be used for both beneficial and malicious purposes. I do not condone or endorse the use of this information for malicious purposes and will fully support the prosecution of those who use the information presented above in a manner that violates the law. You are only authorized to utilize this information on your own systems or on systems you are explicitly authorized to penetration test or perform bug bounties on. If you use this exploit in a malicious manner, you will be charged and prosecuted to the full extent of the laws surrounding unethical hacking and cyber crime.
