Sahil Saini

Exploiting API Vulnerabilities: A No-fluff Manual for Pentesters

by

sahil
in ,

APIs are the backbone of modern applications, but they’re also a goldmine for attackers. As someone who’s spent years breaking into systems (ethically, of course), I’ve seen APIs go from being an afterthought to a primary attack vector. In this guide, we’ll dive into common API vulnerabilities, explore multiple ways to exploit them, and provide real-world examples. Let’s get started!

API Vulnerabilities:

1. Broken Object Level Authorization (BOLA)

What it is: Manipulating the object IDs to access unauthorized data.
How to exploit it:

  • Tamper with object IDs: Change /api/users/123 to /api/users/124 to access another user’s data.
  • Chain with JWT manipulation: Decode the JWT token and modify the user_id field to escalate privileges.
  • Use GraphQL introspection: Discover hidden object IDs and relationships using tools like GraphQLmap.
  • Exploit batch endpoints: If an API allows batch operations, manipulate multiple object IDs in a single request.

Examples:

  1. A banking API allows accessing another user’s account by changing the account ID in the URL.
  2. An e-commerce API exposes order details by tampering with the order_id parameter.

How to fix it: Implement proper authorization checks and use UUIDs instead of sequential IDs.

2. Excessive Data Exposure

What it is: APIs return more data than needed, exposing sensitive information.
How to exploit it:

  • Analyze API responses: Look for hidden fields or debug information in the response.
  • Abuse verbose error messages: Trigger an error and inspect the response for stack traces or database dumps.
  • Use fuzzing: Discover hidden fields by fuzzing API endpoints with tools like ffuf or wfuzz.
  • Exploit GraphQL queries: Craft overly complex queries to extract excessive data.

Examples:

  1. A healthcare API returns a patient’s full medical history, including sensitive fields like SSN and diagnosis.
  2. A social media API exposes hidden fields like email_verified or phone_number in user profiles.

How to fix it: Filter responses to return only the data required by the client.

3. Mass Assignment

What it is: Manipulate the API requests to modify fields we shouldn’t have access to.
How to exploit it:

  • Add unexpected fields: Include fields like "is_admin": true in the request body.
  • Exploit nested objects: Add nested fields like "profile": { "role": "admin" } to escalate privileges.
  • Use Swagger/OpenAPI docs: Discover undocumented fields and endpoints using tools like Swagger-EZ.
  • Abuse batch updates: Manipulate multiple fields in a single request to bypass validation.

Examples:

  1. A user registration API allows setting "role": "admin" in the request body.
  2. An e-commerce API allows updating product prices by adding a "price": 0 field to the request.

How to fix it: Use whitelists for allowed fields and validate input rigorously.

4. Security Misconfiguration

What it is: Poorly configured APIs expose sensitive data or functionality.
How to exploit it:

  • Check for default credentials: Use tools like Nmap or Shodan to discover misconfigured APIs.
  • Exploit open endpoints: Access endpoints like /debug or /admin that shouldn’t be publicly accessible.
  • Abuse CORS misconfigurations: Perform cross-origin attacks using tools like CORS Misconfiguration Tester.
  • Exploit caching headers: Retrieve sensitive data from shared caches by abusing misconfigured caching headers.

Examples:

  1. An API exposes a /debug endpoint that leaks database credentials.
  2. A misconfigured CORS policy allows attackers to steal user data from another domain.

How to fix it: Disable unnecessary endpoints, use strong authentication, and sanitize error messages.

5. Injection Vulnerabilities

What it is: Attackers inject malicious input (e.g., SQL, NoSQL, or command injection).
How to exploit it:

  • SQL injection: Use payloads like ' OR 1=1 -- to bypass authentication or extract data.
  • NoSQL injection: Exploit MongoDB or other NoSQL databases with payloads like {"$ne": ""}.
  • Command injection: Inject OS commands into API inputs (e.g., ; rm -rf /).
  • SSRF: Exploit APIs that fetch external resources by injecting malicious URLs.

Examples:

  1. An API query parameter is vulnerable to SQL injection: /api/users?id=1' OR 1=1 --.
  2. A NoSQL API allows bypassing authentication with the payload {"username": {"$ne": ""}, "password": {"$ne": ""}}.

How to fix it: Use parameterized queries and input validation.

6. Rate Limiting and DDoS

What it is: APIs without rate limits are vulnerable to brute force attacks or DDoS.
How to exploit it:

  • Flood the API: Use tools like JMeter or Locust to send a high volume of requests.
  • Exploit expensive operations: Target endpoints that perform resource-intensive tasks (e.g., file uploads).
  • Abuse WebSocket APIs: Bypass traditional rate limits by flooding WebSocket connections.
  • Chain with authentication flaws: Combine rate limit abuse with weak authentication to brute force credentials.

Examples:

  1. An API allows unlimited login attempts, enabling brute force attacks.
  2. A file upload API crashes when flooded with large files.

How to fix it: Implement rate limiting and monitor traffic for anomalies.

7. Insecure Direct Object References (IDOR)

What it is: Manipulating references to access unauthorized resources.
How to exploit it:

  • Tamper with object IDs: Change /api/files/123 to /api/files/456 to access another user’s files.
  • Decode hashes or encoded IDs: Reverse-engineer object references to discover valid IDs.
  • Exploit GraphQL batch queries: Use batch operations to access multiple resources in a single request.
  • Chain with other vulnerabilities: Combine IDOR with BOLA or mass assignment for greater impact.

Examples:

  1. An API allows accessing another user’s files by changing the file ID.
  2. A healthcare API exposes patient records by tampering with encoded IDs.

How to fix it: Validate user permissions for every resource access.

8. Lack of Resource and Rate Limiting

What it is: APIs allow excessive resource consumption, leading to performance issues or abuse.
How to exploit it:

  • Send large payloads: Overwhelm the API with large JSON or XML payloads.
  • Exploit recursive queries: Send deeply nested queries to crash the server.
  • Abuse GraphQL batching: Use batch queries to overload the API with requests.
  • Target expensive endpoints: Exploit endpoints that perform complex calculations or database queries.

Examples:

  1. An API allows fetching 10,000 records in a single request, causing a server crash.
  2. A GraphQL API crashes when flooded with batch queries.

How to fix it: Implement pagination, query limits, and resource monitoring.

Conclusion

APIs are powerful but often vulnerable. By understanding and exploiting these vulnerabilities—using a mix of well-known and lesser-known techniques—you can help organizations build more secure systems. Remember, the goal isn’t just to break things; it’s to make them stronger.

TL;DR?

  • BOLA: Tamper with object IDs, chain with JWT, or use GraphQL introspection.
  • Excessive Data Exposure: Abuse verbose errors, fuzz endpoints, or exploit GraphQL queries.
  • Mass Assignment: Add unexpected fields, exploit nested objects, or abuse Swagger docs.
  • Security Misconfiguration: Exploit open endpoints, CORS misconfigurations, or caching headers.
  • Injection Vulnerabilities: Use SQL, NoSQL, command injection, or SSRF.
  • Rate Limiting and DDoS: Flood APIs, exploit WebSocket connections, or target expensive operations.
  • IDOR: Tamper with object IDs, decode hashes, or exploit GraphQL batch queries.
  • Resource Limiting: Send large payloads, exploit recursive queries, or abuse GraphQL batching.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *