profile

ESPRESSO FRIDAYS

How to Hack APIs (responsibly)

Published 20 days ago • 2 min read

Hi!

Today I want to share a security researching flow

Disclaimer: I am not a security expert. Disclaimer II: Every story and example shown here were either made with

  1. Prior consent
  2. My own systems
  3. As part of a VDP (vulnerability disclosure)

The WHAT

For the next magic trick you’re going to need - A browser - A proxy - A pair of eyes

Easy, right?

I’m assuming most readers have at least 2/3 but never made them work together to get an insight into how their browser interacts with the internet.

The process is simple; you configure the browser to run everything through a proxy (exact tools will soon follow), including encrypted communication, for which you’ll need the browser to trust the proxy’s certificate. You set the proxy to monitor and stop every request and every response for inspection, which you, the traffic warden, will decide whether it’s dropped or forwarded to the client / system.

This setup alone, will give you massive understanding of what systems the browser is speaking to, what reports, metrics analytics and ads are coming in and out of a standard browser use.

“But what has this got to do with hacking?”

Well, everything!

In 2021 (remember Covid?), I found a vulnerability in one of the airports systems that was charging for Covid tests. The “hack” was simple: I captured in and outgoing requests from the payments system just to find that the entity that was deciding how much the user pays was, well, the user… Yep, the number sent from the client, to the backend, was what was eventually sent as the price to pay. I wrote more about it here.

You won’t believe, how many systems are flawed with the bug specifically, but this is relatively simple.

When you start seriously monitoring in and outgoing requests with certain systems you’ll discover many many more similar mistakes. A famous one is a json setting the role of the user interacting with the API from user to admin, which is all it takes to tell the system you’re its administrator.

Another one I’ve seen recently is an object returned to the client where the backend tells the client whether they have to insert credit card details in order to book an appointment, simply catching the request on the fly, manipulating it by changing true to false was all it took to bypass the feature.


The HOW

Enough stories, let’s see how it’s done:

  1. Any browser with a proxy plugin would do. I run FireFox with FoxyProxy
  2. The proxy I use is PortSwigger’s Burp. This is an amazing security research tool, which has a ton of plugins and additional premium features if you’re into these kind of stuff
  3. To have FireFox trust burp with https traffic you’d want to download Burp’s certificate and install it within FF, here are the instructions to do that
  4. Lastly, open the proxy tab on Burp, and make sure there are rules for request interception, as well as response interception (not activated by default)
  5. That’s it. Go back to the proxy, and under intercept make sure “Intercept is on”
  6. Start working against you’re own API, if you don’t anything to test on you may find this repo useful
  7. Monitor in and outgoing traffic. Focus only on the ones that interact with the domain you’re targeting, drop the rest. Look for the numbers you can manipulate, the booleans that can be changed, and see whether you find any gems…

Thank you for reading!

If you found any issues / mistakes, or just want to share feedback or your own stories, feel free to respond to this email!

ESPRESSO FRIDAYS

Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!

Read more from ESPRESSO FRIDAYS

Hi friends, Here's a quote from Deep Work which I'm 30% through the second reading round: Focus intensifies by getting used to NOT being distracted. And can improve with practice.” - “Deep Work”, Cal Newport An MIT recent study shows that when the brain forms memories or learns a new task, it encodes the new information by adjusting connections between neurons. They also remind of the principle of “neurons that fire together, wire together”, proposed by Donald Hebb in the 1940s. This is...

6 days ago • 3 min read

Hi! Let’s say you’re an entrepreneur, you know what, a “solopreneur”. You have you own side gig and it’s making a few hundred bucks a month. If I told you you can lost the entire thing in a heartbeat because you missed something, you’d be anxious to know what it, right?​Rewind 34 months, I was sitting at my desk, assisting the frontend team in troubleshooting their configuration issue. As I opened the devtools pane and launched the network tab, my goal was to locate "config.json". However,...

27 days ago • 3 min read

Happy Friday! Today I want to talk about something that pretty much transformed the way I work. Stenography is a shorthand writing method allowing users to transcribe text at speeds exceeding 200 words per minute, using abbreviated symbols for real-time speech transcription. It is mandated in all courtes of law as a method for recording the protocols simply because of the speed in which they’re processes and the reduced number of mistakes that can be made. While I’m not a Stenographer, and I...

about 1 month ago • 3 min read
Share this post