Posted April 10Apr 10

Necessity

Front-end separation has become a major trend in the web. It can be effectively decoupled through Tomcat+Ngnix (there can also be a Node.js in the middle). In addition, the separation of front and back ends will lay a solid foundation for future large-scale distributed architectures, elastic computing architectures, microservice architectures, and multi-terminal services (multiple clients, such as browsers, in-vehicle terminals, Android, IOS, etc.). The API assumes the responsibility of front-end communication. Therefore, it is necessary to learn API security.

The idea of this article is to summarize some common attack surfaces in APIs. The author is still learning this area. If there are any mistakes, I hope you can correct it.

Common API technologies

GraphQL

GraphQL is a query language for APIs

Usually there are the following characteristics:

(1) The data packets are sent to the /graphql interface

(2) It contains many newline characters\n

{'query':'\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n .FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n .InputValue\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n .InputValue\r\n }\r\n type {\r\n .TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n .InputValue\r\n }\r\n interfaces {\r\n .TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n .TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { .TypeRef }\r\n defaultValue\r\n }\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ','variables':null}

SOAP-WSDL

WSDL (Web Services Description Language, Web Service Description Language) is an XML Application. It defines the Web service description as a set of service access points through which clients can access services containing document information or process calls. The SOAP protocol is used, which generally sends XML format data, and then there will be WSDL files

Common .asmx files in .net also have wsdl format xxx.asmx?wsdl

We can use soapui to test this type of API

WADL

There is a very obvious wadl logo in the file

You can also use the rest function of soapui for testing

REST

rest API is not as obvious as the previous ones, and it is also the most commonly used API technology nowadays

REST is a set of architectural specifications, not protocols or standards. API developers can implement REST in various ways.

When a client makes a request through the RESTful API, it passes the resource state statement to the requester or terminal. This information or expression is transmitted through HTTP in one of the following formats: JSON (Javascript object notation), HTML, XLT, Python, PHP, or plain text. JSON is the most commonly used programming language. Although its original English name means "JavaScript object notation", it is suitable for various languages and can be read by both human and machine.

There are some things to note: headers and parameters are also important in the HTTP method of RESTful API HTTP requests, because they contain important identification information such as requested metadata, authorization, unified resource identifier (URI), cache, and cookies. There are request headers and response headers, each with its own HTTP connection information and status code.

How to get endpoints

For some security tests of APIs, we usually focus on the permission issues of APIs, security issues of API endpoints and infrastructure.

To test the security issues of API endpoints, you must try to get as many API endpoints as possible

swagger api-docs leak

Swagger is a standardized and complete framework for generating, describing, calling, and visualizing RESTful-style web services

Common fingerprints:

# swagger 2

/swagger-ui.html

/api-docs

/v2/api-docs

# swagger 3

/swagger-ui/index.html

/api-docs

/v2/api-docs

/v3/api-docs

api-docs can reveal all endpoint information

Here are two tools for testing

The first one is swagger-editor

https://github.com/swagger-api/swagger-editor

After downloading, you can use it by opening index.html. You can choose to import or remotely load the URL. Supports api-docs in json and yaml formats.

The second one is apikithttps://github.com/API-Security/APIKit

Burp plugin

graphql introspective query

Get all endpoint information

https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ

We can use this to generate interface documents:

https://github.com/2fd/graphdoc

Need nodejs test.json is the json format data returned by the introspective query

npm install -g @2fd/graphdoc

graphdoc -s ./test.json -o ./doc/schema

Then we open the generated /doc/index.html

Just construct data packets according to his format

Other

In black box testing, a big problem is that the API endpoints are not fully found. We need to look for them from the corresponding application or from other aspects.

(1) web

Static resources such as js html can have some API endpoints

burp plugin JS LinkFinder can be collected passively

(2) App and other client applications

(3) github

(4) According to the rules fuzz

Authorization Method

Basic Auth

Provide username and password of the user every time the API is requested

Usually there is an Authorization header in the http packet

Authorization: Basic base64(username:password)

This is relatively low in safety and is rarely used now

JWT

jwt (json web token) is a token-based authentication and authorization mechanism

Divided into three parts

Header: describes the metadata of JWT, defining the algorithm for generating signatures and the type of token. Payload: is used to store data that needs to be passed Signature: The server uses the signature algorithm specified in the header (default is HMAC SHA256) to prevent JWT from being tampered with the calculation method Encryption algorithm (base64(header) + '.' + base64(payload), secret)

Online test https://jwt.io/

Ordinary tokens require the corresponding relationship between the backend storage and the user, while JWT carries the corresponding relationship itself

Other custom headers, cookies

Other forms of tokens such as apikey or randomly generated

Common safety issues and testing methods

api Gateway

API gateway is a service built between the client and microservice. We can handle some non-business functions logic in the API gateway, such as permission verification, monitoring, caching, request routing, etc.

API gateway is like the facade of the entire microservice system, and is the only entrance to the system. With it, the client sends the request to the API gateway first, and then the API gateway forwards the request to the microservice instance based on the requested identification information.

apisix

Apache APISIX is a cloud-native API gateway under the Apache Software Foundation. It combines dynamic, real-time, and high-performance features, providing rich traffic management functions such as load balancing, dynamic upstream, grayscale release (canary release), service circuit breaker, identity authentication, observability, etc. We can use Apache APISIX to handle traditional north-south traffic, or east-west traffic between services. At the same time, it is also supported as a K8s Ingress Controller. Apisix previously exposed a command execution vulnerability CVE-2022-24112 (the current latest version is 3.0)

Scope of impact:

All versions between Apache APISIX 1.3 ~ 2.12.1 (excluding 2.12.1)

Apache APISIX 2.10.0 ~ 2.10.4 All versions between LTS (excluding 2.10.4) build vulnerability environments

git clone https://github.com/twseptian/cve-2022-24112 ##Get dockerfile

cd cve-2022-24112/apisix-docker/example/## Enter the corresponding directory

docker-compose -p docker-apisix up -d ##Start all apisix services utilization conditions based on docker

The batch-requests plug-in is enabled by default.

The user uses the Apache APISIX default configuration (enables the Admin API, uses the default Admin Key and does not have additional management ports assigned), and attackers can call the Admin API through the batch-requests plugin. Attack ideas

1. Use batch-requests plug-in vulnerability to bypass request header detection;

2. Register routes with the Admin API by forging the request header;

3. When registering a route, the parameters filter_func pass lua code, causing remote code execution vulnerability exp:

https://github.com/twseptian/cve-2022-24112/blob/main/poc/poc2.py

Quote

Sign In

Title: API Security Learning Notes

Featured Replies