What is API Penetration Testing?


For those who are not familiar with API Penetration Testing, it’s a test activity that involves all the processes of vulnerability assessment and ensures that the client is implementing very solid endpoints for their APIs environment.

Why does the company need to do API Penetration?


Any malicious actors can easily access the insecure APIs which will damage the application and the Penetration Testing activity on the selected application will be executed so that the company will obtain a secured and tested API application.


It’s a JSON message that appears on the website interface.

Demonstration for the attack method


The demonstration will be taken from the full walkthrough of a machine from HackTheBox which can be found over here

Graphical user interface, text, application

Description automatically generated
Graphical user interface, text, application

Description automatically generated

We managed to see some new endpoints when we access <ip>/API/v1

Graphical user interface, text, application

Description automatically generated
Graphical user interface, text, application

Description automatically generated

However, we got an error saying that “not found” and “not authenticated”

Graphical user interface, text, application

Description automatically generated

What a surprise! We have a different message when we access our own user endpoints.


Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster

Graphical user interface, text, application

Description automatically generated

It’s a JSON message that appears on the website interface.

Graphical user interface, text, application

Description automatically generated

We managed to see some new endpoints when we access <ip>/API/v1

Graphical user interface, text, application

Description automatically generated
Graphical user interface, text, application

Description automatically generated

However, we got an error saying that “not found” and “not authenticated”

Graphical user interface, text, application

Description automatically generated

What a surprise! We have a different message when we access our own user endpoints.


Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster

Graphical user interface, text, application, email

Description automatically generated

After a while, it works like a charm!


Graphical user interface, application, Teams

Description automatically generated
After looking at the dashboard, I notice that we can play around with the default parameters.
Background pattern

Description automatically generated
From the description, it says that UHC API is version 2.0 which returns the response as 200 “Successful Response”
Graphical user interface, application, Teams

Description automatically generated
Background pattern

Description automatically generated


When we try to execute the admin check, it shows the result as “false”

Graphical user interface, application, Teams

Description automatically generated
Background pattern

Description automatically generated

For the user-id, we are aware of UHC Admin is set as user number 1


For the user-id, we are aware of UHC Guest is set as user number 2

Background pattern

Description automatically generated

We are aware of UHC Player is set as user number 11

Background pattern

Description automatically generated

Finally, i got our own user-id when fetching it as number 12

Graphical user interface

Description automatically generated