Bad API, hAPI Hackers!

Transcript

1. Bad API, hAPI hackers! By Jasmin Landry @JR0ch17

2. $ whoami

3. $ crontab

4. Methodology Where do I start? Create your own methodology 1.

   Recon 2. Look for “technical” bugs (RCE, SQLi, XXE, XSS, etc) 3. Look for “logical” bugs (IDOR, Priv Esc, Info Leak, etc) Important to follow so you test everything possible

5. $ cat black_box.txt

6. $ cat white_box.txt

7. $ cat info_gathering. txt

8. $ cat info_gathering. txt | more Scanning with Burp often

   generates error messages 1. Send the request to Intruder 2. Add positions to scan 3. Right click 4. Select Scan defined insertion points

9. $ cat technical_bugs. txt | grep RCE RCE can sometimes

   be achieved with: • SSTI • File upload? ({“fileName”:”test.png”, “fileContent” :”data:image/png;base64,…”) can also lead to XXE or Stored XSS

10. $ cat technical_bugs. txt | grep XXE Some more file

    uploads … XXE J

11. $ cat technical_bugs. txt | grep SQLi

12. $ cat technical_bugs. txt | grep SQLi | more CVE-2014-6577

13. $ cat logical_bugs.txt | grep IDOR

14. $ cat logical_bugs.txt | grep IDOR | more GET /api/something/name/somethingelse/customer/profile/:anotherid?profileT

    ype=Something HTTP/1.1

15. $ cat logical_bugs.txt | grep ”Priv Esc”

16. $ cat logical_bugs.txt | grep ”Priv Esc” 1. Identified an

    interesting endpoint that was documented in a .js file 2. No Authorization header was needed 3. Created the request 4. Win!

17. $ cat bug_chains.txt IDOR #1 Info Leak #1 Able to

    view other users’ email address IDOR #2 Info Leak #2 Using the email leaked in Info leak #1, I could get the profile’s UUID. GET GET IDOR #3 PUT Using the UUID leaked in Info Leak #2, I could change the profile’s email address Password Reset • Text Message to phone number L • Send email verification link (boring) • Answer security question ATO POST

18. $ cat bug_chains.txt | more ID from IDOR #1

19. $ cat thank_you.txt @JR0ch17