What is API Penetration Testing?
For those who are not familiar with API Penetration Testing, it’s a test activity that involves all the processes of vulnerability assessment and ensures that the client is implementing very solid endpoints for their APIs environment.
Why does the company need to do API Penetration?
Any malicious actors can easily access the insecure APIs which will damage the application and the Penetration Testing activity on the selected application will be executed so that the company will obtain a secured and tested API application.
It’s a JSON message that appears on the website interface.
Demonstration for the attack method
The demonstration will be taken from the full walkthrough of a machine from HackTheBox which can be found over here
We managed to see some new endpoints when we access <ip>/API/v1
However, we got an error saying that “not found” and “not authenticated”
What a surprise! We have a different message when we access our own user endpoints.
Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster
It’s a JSON message that appears on the website interface.
We managed to see some new endpoints when we access <ip>/API/v1
However, we got an error saying that “not found” and “not authenticated”
What a surprise! We have a different message when we access our own user endpoints.
Let’s enumerate the possible endpoints after the /api/v1/user directory using gobuster
After a while, it works like a charm!
After looking at the dashboard, I notice that we can play around with the default parameters.
From the description, it says that UHC API is version 2.0 which returns the response as 200 “Successful Response”
When we try to execute the admin check, it shows the result as “false”
For the user-id, we are aware of UHC Admin is set as user number 1
For the user-id, we are aware of UHC Guest is set as user number 2
We are aware of UHC Player is set as user number 11
Finally, i got our own user-id when fetching it as number 12
No responses yet