API ANALYSIS

In Web Application Security, analyzing APIs is crucial to understanding the structure and potential vulnerabilities of a web application. Discovering and examining API endpoints, whether through brute force attacks, manual search, or logical analysis, provides insights into the purpose and function of each exposed API. By determining the protocol used (REST or SOAP), analyzing network requests, and testing different HTTP verbs, security professionals can gain a comprehensive view of the API landscape within the application and identify potential security risks and countermeasures. This process is essential for enhancing the overall security posture of modern web applications.

• API analysis
• web application security
• REST
• SOAP
• HTTP verbs

seid_teo Follow

Uploaded on Feb 15, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. API ANALYSIS Based on the book Web Application Security: Exploitation and Countermeasures for Modern Web Applications by Andrew Hoffman (2020)

2. WHAT AND WHY? In addition to its main domain, a web application may have several subdomains. Each of the subdomains of an web application may have its own unique API endpoints. Finding APIs is the second step in learning about the structure of a web application following discovery of subdomains. This step will provide us with the information we need to begin understanding the purpose of an exposed API. When we understand why an API is exposed over the network, we can then begin to see how it fits into an application and what its business purpose is. 2

3. HOW? To discover API endpoints: Brute force or dictionary attacks Manual search Logical analysis Recall: Typically, APIs will either follow a REST format or a SOAP format. REST is becoming much more popular, and is considered to be the ideal structure for modern web application APIs today To determine the protocol, use the browser s developer tools to view and analyze the network requests sent from the browser to the server. 3

4. HOW? (CONT.) - TO ANALYZE THE NETWORK REQUESTS Step 1: Determine the API (REST or SOAP or something else). a) Read the requests. Sample requests: GET api.mega-bank.com/users/1234 GET api.mega-bank.com/users/1234/payments POST api.mega-bank.com/users/1234/payments The above requests reveal that it is a REST API, because each endpoint specifies a particular resource (rather than a function as in SOAP). b) Analyze the headers of each request. c) Analyze the cookies. Step 2: Make logical hypotheses regarding available endpoints (for that API). (next page) 4

5. Each API supports a set of functions/verbs. Step 3: Attempt to make requests to those resources using different HTTP verbs and see if the API returns anything interesting. 5

6. USING A BRUTE FORCE ATTACK TO DETERMINE ACCEPTED HTTP VERBS Step 1: Expand a request to include all possible verbs. Step 2: Use a script to test each of the requests. 6

7. USING A BRUTE FORCE ATTACK TO DETERMINE ACCEPTED HTTP VERBS (CONT.) 7

8. 8

9. TO DETERMINE THE PAYLOAD SHAPE FOR AN API ENDPOINT The easiest way is to analyze the structure of known requests being sent via the browser. Beyond that we must make educated guesses about the shape required for the API endpoint and test them manually. Common endpoints that can be found on nearly every application: sign in, sign up, password reset, etc. These often take a similarly shaped payload to that of other apps, since authentication is usually designed based on a standardized scheme. 9

10. AUTHENTICATION APIS Many modern applications send authentication tokens with every request. This means if we can reverse engineer the type of authentication used and understand how the token is being attached to requests, it will be easier to analyze other API endpoints that rely on an authenticated user token. 10

11. AUTHENTICATION APIS (CONT.) - - HTTP Basic authentication The string am9lOjEyMzQ= is a base64-encoded username:password string. NOTE: Basic authentication is not secure, and is typically only used on web applications that enforce SSL/TLS traffic encryption. 11

12. DETERMINING THE ENDPOINT SHAPES After locating a number of subdomains and the HTTP APIs contained within those subdomains, you should begin determining the HTTP verbs used per resource and adding the results of that investigation to your web application map. NEXT: What type of payload any given API expects? Common Shapes (of payloads): Many APIs expect payload shapes that are common in the industry. For example, an authorization endpoint that is set up as part of an OAuth 2.0 flow may expect the following data: 12

13. DETERMINING THE ENDPOINT SHAPES (CONT.) The naming conventions and list of scopes in an OAuth 2.0 authorization endpoint may differ slightly from implementation to implementation, but the overall payload shape should not. An example of an OAuth 2.0 authorization endpoint can be found in the Discord (instant messaging) public documentation. 13

14. DETERMINING THE ENDPOINT SHAPES (CONT.) Facebook s public documentation for OAuth 2.0 NOTE: While many APIs implement common specifications like OAuth, they will often not use a common specification for their internal APIs that are responsible for initiating application logic. 14

15. APPLICATION-SPECIFIC SHAPES Application-specific shapes are much harder to determine than those that are based on public specifications. To determine the shape of a payload expected by an API endpoint, you may need to rely on a number of recon techniques and slowly learn about the endpoint by trial and error. Insecure applications may give you hints in the form of HTTP error messages. More secure applications will probably just throw a generic error. If you know the name of a variable expected in the payload, but not a value, then you may be able to brute force the request by repeating it with variations until one sticks. 15

16. SUMMARY After developing a mental model (ideally also recorded in some form) of the subdomains that power an application, the next step is to find the API endpoints hosted on those subdomains so that you can try to determine their purpose later. Finding endpoints on an API is one step toward understanding the purpose and function of the API. Once you have found and documented a number of API endpoints, then determining the shape of the payloads that endpoint takes is the next logical step. 16