API Bites, Episode 18 | Lockpicking

What does picking locks ? ? have to do with API Security? Find out in today's episode of API Bites ? with Hacker in Residence Jason Kent.

You know, if you have the key, the API works the way that it's supposed to. But you can see that that key interfaces with a bunch of different things in this system in order to make this system work. I can copy this key and then you can use this key on this lock and you'll be able to get in or I can use something that isn't the key and get in here. And that's how we test APIs. Basically, each one of these pins that's falling up and down is inside of a manmade system that has some little flaw in it and the key interfaces with the system well. But in order to unlock this without the key, we're going to have to use something else. So what we're going to use is a lock pick. Now, it wouldn't be very fair to pick a lock that's completely clear because you can see what's happening and in API security, you don't get to see what's happening. You get to send a request, you get back a response, then you got to make a change. So what I'm going to do is I'm going to take this little training lock here and I'm going to illustrate exactly what I'm talking about. So we can't tell where the pins are inside of this lock, but I can tell you that it works. I'm going to check to see - can someone exploit the tiny vulnerabilities that are inside of this in order to get it open? And the way I'm going to do that is I have a nice little lockpick set here. And first thing I got to do is get out the pick that I want. There's a couple of decent options inside of here. As you know, you got to test in various ways. I need a tension wrench. And what the tension wrench is going to do is it's going to rotate the barrel of this lock and it's going to allow for me to basically make the lock pay attention to what I'm doing. As I put input in, it's going to react to it. And so eventually I'll be able to find the right combination of things that I need to change when I'm doing my testing on this lock. Eventually the lock rotates. So if I can feel around inside of here a little bit, I can see, Oh yeah, yeah, we need a x44 header or we need a different user agent here. Oh, look at that. I changed enough things. I manipulated this lock and I was able to get it open without using the key. It's an interesting thing and I'm going to bring up a couple of examples on Burp that are going to allow for us to see exactly how we can do this from an API security standpoint. All right. So let's take a look at some examples of just messing around with an API that shows you that it really is just like picking a lock. So here's a company called Fly.io, and don't think I found some big vulnerability or whatever. These guys have this up here for a reason. It's all part of a demo environment, but it makes a great environment for me to show you. So I opened up a page to Fly.io and here you can see inside of Burp my request and the response that that that came from it. So what I want to do now is try to figure out, are there any other things that are interesting off this web page? Like, for instance, can I find an API endpoint that I might be interested in? There's a couple of different ways that I can do that. I can just simply go back to the browser and I can start playing with things right here in the browser, much like I would with that lock pick set. And I happen to know that they have an endpoint called API.fly.io, but you notice I got a 404 error here. That means I requested something that was almost right, but it isn't right. And the thing that I'm looking for just isn't there. I didn't generate a server error, I generated this error. What I'm going to see is do they have a GraphQL endpoint that's available to me to look at? As I open this up, you're going to see that their GraphQL playground is going to launch. You probably remember this from when I was talking about GraphQL and my other API Bites video, but this is how you can search through all these different things to try to find active endpoints and endpoints that mean something to you. You can also use something like Repeater in Burp. So I can just push this up here. I can say, Hey, I want to try to find that API endpoint, send, and I'm going to get my response back. I can then, you know, do things like add GraphQL on here. I can hit send and I'm going to get my response back. Now, obviously, this response is going to take a while because it gave me the entire GraphQL playground. When I looked at it before. The response is difficult for this to render in Burp, but then I can always go back to the browser and take a look at it and see that it's there. I can do all of the different things that I need to do inside this playground. Looking for GraphQL playground is probably a good idea for you, knowing where your attack surfaces is probably the first step in any program, but definitely in an API security program, you need to know what your attacks surface looks like.