Security
Reader small image

You're reading from  Defending APIs

Product typeBook
Published inFeb 2024
PublisherPackt
ISBN-139781804617120
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Colin Domoney
Colin Domoney
author image
Colin Domoney

Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.
Read more about Colin Domoney

Right arrow

Discovering APIs

In the previous chapter, we explored the foundations of attacking APIs, focusing on many of the tools that attackers use. In this chapter, we’ll use these skills to learn how to discover APIs in the real world. We will learn how to discover APIs using passive methods (where we do not interact with the API directly) and active methods (where we interact with the API directly). We will also learn how to find details of how the API is implemented and how to use this knowledge to attack an API.

For an API defender, it is important to understand the techniques used by your adversaries in discovering your APIs so that you can implement defensive measures to prevent easy discovery and further analysis. In particular, defenders should pay attention to attackers’ techniques in identifying implementation details and use this knowledge to harden their implementations.

For an API attacker, a thorough reconnaissance process provides useful information about...

Technical requirements

For this chapter, you will need a development machine capable of the following:

  • Running Docker locally
  • Running VS Code with various marketplace extensions
  • Access to the internet and a GitHub account to access the examples

This chapter contains many code samples in various languages; these can either be run locally, which will require the installation of compilers, SDKs, and frameworks, or from within a Docker build container.

The example code and various breaking changes to the instructions can be found in the Chapter 6 folder on the book’s GitHub repository here: https://github.com/PacktPublishing/Defending-APIs/tree/main/Chapter6

Passive discovery

In the first section of this chapter, we will investigate various methods of the passive discovery of APIs. Not surprisingly, the techniques involve utilizing different search engines or online repositories to mine useful API metadata.

The finer details of a passive discovery phase will be determined by the target in mind. Sometimes the intent will be to search far and wide (for example, try and identify all APIs that an organization owns) and gain as much information as possible about the number of exposed targets available on the public internet. For example, let’s imagine you are attempting to exploit the API of a new router with a vulnerability—in this case, you will probably be attempting to find online instances with public IP addresses.

In other scenarios, you may know about a particular exploit and want to gain a deeper knowledge of using the exploit in practice. You might use a more narrow and deep strategy (for example, identify only...

Active discovery

We will now look at various techniques for the active discovery of APIs in the real world. By active, we mean that we will interact with the API and/or its network by monitoring the traffic or directly accessing the API or its host.

Note – ensure that you have permission to access the computing resources

The use of active discovery using the tools and techniques described in this section may be against the terms and conditions of use of various services, ranging from your ISP to the relevant cloud hosting service. If you are unsure whether you are authorized to perform such scanning, you should err on the side of caution and seek explicit permission. In many cases, such scanning may also be against the applicable laws within your country, and any violations may have serious consequences. Fortunately, many of the scenarios described can easily be recreated in a laboratory environment that is totally under your control.

Network discovery and scan

Typically...

Implementation analysis

Finally, we will conclude this chapter with some tips on how to glean additional information about the implementation of the API’s server, including the host OS and the libraries and frameworks used, including version numbers. Such information can be immensely useful when attempting to reverse-engineer an API.

Verbose error and debug messages

The first category is the now infamous (due to the high instances of information leakage via this method) error category of excessively verbose error and debug messages. Application developers include various levels of diagnostic information to aid in the debugging of applications in the field. Users can capture the log and send it to the support team for analysis. Unfortunately, such logging can be overly verbose and, along with useful debug information, can also divulge the specifics of the inner workings of the application and details of the implementation.

As an example, consider the commonly encountered...

Summary

This chapter took us on a complete journey from zero knowledge of a target right through to being able to determine the version of the database used. The passive reconnaissance techniques principally used Google and the query operators, as well as the Shodan database, to determine a range of likely candidate targets for exploration.

We learned how to use active reconnaissance to actively focus on the API implementations on the hosts by examining their behavior under live probing using nmap or Massscan, while OWASP ZAP can provide a wealth of insight using spider scanning. Finally, we learned how to use information leakage to gain insight into the inner details of the implementation, allowing us to understand details such as the host OS and database.

By conducting a thorough discovery phase, you will have placed yourself in a perfect position to move on to the final chapter in the section—on attacking APIs.

Further reading

Further reading on discovering APIs:

Further reading on Google operators and the GHDD:

Further reading on nmap:

Further reading on the interception of data on devices:

Further reading on excessive information exposure:

Further reading on...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 9 of 19
Next Chapter
You have been reading a chapter from
Defending APIs
Published in: Feb 2024Publisher: PacktISBN-13: 9781804617120
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Colin Domoney

Colin Domoney (BSc. MSc. CSSLP, CEH) is an API Security Research Specialist and Developer Advocate with deep expertise in the development of secure software. As VP of AppSec, he took on the challenge of securing software on a large scale and running the global AppSec program at Deutsche Bank. At Veracode, as an evangelist, he produces countless webinars, and blog posts, and speak globally at conferences. Currently, he has embraced the challenge of securing APIs with 42Crunch where he has produced the API industry's first security maturity model and contributed to numerous webinars, talks, and blogs. Currently, he is working on the industry's first defensive API developer training course. He is also the curator of the APISecurity weekly newsletter.
Read more about Colin Domoney

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages