100 ways of API Hacking

Tags

100 ways of API Hacking

Below are 100 approaches for API hacking, categorized for better understanding. Each method delves into testing for security issues, misconfigurations, or vulnerabilities in APIs:

1–20: Authentication and Authorization Flaws

  1. Test for insecure direct object references (IDOR).
  2. Attempt brute-forcing API keys.
  3. Check for missing authentication headers.
  4. Bypass authentication via parameter manipulation.
  5. Use default credentials (e.g., admin:admin).
  6. Explore JWT misconfigurations (e.g., using none algorithm).
  7. Manipulate OAuth tokens (e.g., swapping aud or iss fields).
  8. Reuse expired or stolen tokens.
  9. Test rate-limiting flaws for account takeover.
  10. Enumerate users via API responses.
  11. Escalate privileges by altering roles or user IDs.
  12. Bypass 2FA mechanisms via API flaws.
  13. Exploit misconfigured CORS policies.
  14. Send requests from untrusted origins.
  15. Test HTTP Basic authentication for weaknesses.
  16. Use dictionary attacks on API endpoints with weak passwords.
  17. Check for weak session management (e.g., predictable tokens).
  18. Exploit token leakage via logs or error messages.
  19. Use APIs to bypass frontend restrictions.
  20. Bypass IP-based restrictions by using proxies.

21–40: Input Validation Flaws

  1. Test for SQL injection in parameters.
  2. Check for NoSQL injection vulnerabilities.
  3. Inject command injections via payloads.
  4. Test for XML External Entity (XXE) attacks.
  5. Exploit insecure deserialization vulnerabilities.
  6. Perform path traversal attacks (e.g., ../../etc/passwd).
  7. Use cross-site scripting (XSS) in JSON/XML responses.
  8. Try LDAP injections in user directory APIs.
  9. Manipulate graph queries (e.g., GraphQL injections).
  10. Send malformed JSON/XML payloads.
  11. Use oversized requests to test for DoS vulnerabilities.
  12. Inject unicode characters to bypass filters.
  13. Fuzz with unexpected inputs like negative numbers or long strings.
  14. Test for regular expression DoS (ReDoS) vulnerabilities.
  15. Send double-encoded payloads to bypass validation.
  16. Manipulate API queries with SQL wildcards.
  17. Inject JavaScript Object Notation Hijacking (JSON Hijacking).
  18. Test for HTTP parameter pollution.
  19. Experiment with incomplete request bodies.
  20. Use nested or recursive payloads to crash parsers.

41–60: Business Logic Testing

  1. Test for improper rate limits (e.g., brute force).
  2. Abuse API workflows for free or unauthorized access.
  3. Manipulate payment APIs to bypass charges.
  4. Exploit currency conversion discrepancies.
  5. Modify shipping calculations in e-commerce APIs.
  6. Bypass API rules for promo codes.
  7. Duplicate transaction requests to double-charge or refund.
  8. Exploit logical flaws in subscription APIs.
  9. Test state management flaws in multi-step processes.
  10. Exploit APIs to access internal admin functions.
  11. Use incomplete or delayed responses to probe data leakage.
  12. Attempt to modify immutable objects.
  13. Test for skipping steps in multi-stage workflows.
  14. Exploit sequence-breaking vulnerabilities.
  15. Abuse caching mechanisms to expose stale data.
  16. Attempt double-spending attacks via concurrent requests.
  17. Test for missing cleanup mechanisms in transaction APIs.
  18. Check for unintended rate-limited actions (e.g., skipping approvals).
  19. Abuse cross-tenant isolation issues in SaaS APIs.
  20. Manipulate timestamps to exploit time-dependent logic.

61–80: Misconfiguration Issues

  1. Exploit APIs with default configurations.
  2. Test for verbose error messages leaking sensitive info.
  3. Check for API debugging tools exposed in production.
  4. Look for unsecured admin endpoints.
  5. Scan for open API schemas (swagger.json, api-docs).
  6. Exploit unfiltered log outputs.
  7. Abuse hard-coded secrets in API code.
  8. Access unsecured database connections.
  9. Test for overly permissive access controls.
  10. Look for exposed APIs via search engines (e.g., Google Dorks).
  11. Test for weak or missing TLS configurations.
  12. Exploit insecure redirects in API responses.
  13. Abuse API versioning to access deprecated features.
  14. Check for unpatched software vulnerabilities.
  15. Enumerate hidden endpoints using robots.txt or sitemap.xml.
  16. Exploit HTTP method misconfigurations (e.g., PUT instead of GET).
  17. Abuse misconfigured rate limits to perform DoS.
  18. Scan for open debugging ports (e.g., gRPC APIs).
  19. Exploit APIs on default ports (e.g., 8080).
  20. Identify proxy misconfigurations leading to request tampering.

81–100: Advanced Techniques

  1. Exploit side-channel leaks (e.g., timing attacks).
  2. Perform subdomain takeovers to compromise API endpoints.
  3. Exploit API chaining to combine vulnerabilities.
  4. Test for unauthorized file uploads.
  5. Abuse GraphQL introspection to gather sensitive details.
  6. Exploit metadata endpoints on cloud services (e.g., AWS).
  7. Analyze mobile app traffic to find hidden APIs.
  8. Use reverse engineering tools to extract API keys.
  9. Test middleware vulnerabilities (e.g., API gateways).
  10. Intercept API traffic with MITM attacks.
  11. Perform SSTI attacks (Server-Side Template Injection).
  12. Exploit functionality exposed via third-party integrations.
  13. Abuse public API keys in repositories.
  14. Automate scans with Burp Suite or OWASP ZAP.
  15. Use fuzzing tools like FFUF or Atheris.
  16. Exploit delayed rate limits (e.g., per minute vs. per request).
  17. Perform JWT replay attacks.
  18. Inject API hooks into client applications.
  19. Use tools like Postman, Insomnia, or cURL for manual testing.
  20. Cross-reference APIs with CVE databases to find public exploits.

These methods cover a broad spectrum of API security testing. Always ensure you have proper legal authorization to test APIs to comply with ethical and legal boundaries.

LinkedIn Reddit