1. Home
  2. Training Library
  3. API Pentesting


The course is part of this learning path

Start course

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.


Hi, within this lecture we're going to go ahead and solve the API8 challenge. So, if we take a look at the API8 it says injection, so far, so good. So, this is probably SQL injection and if you're watching the web pen testing course, then you know a great deal of SQL injection by now because we have seen it in a great detail, in a great depth. But if you're watching the mobile ethical hacking course, as I said before I put the section in both of the courses because it is related with both of them. So, maybe you don't know a great deal about SQL injection. So, in a nutshell, we are trying to run SQL commands in the database, in the remote database, so that we can gather information out of it. But these commands, of course, are not meant to be executed by a regular person. So, it's a vulnerability, and you have to listen like a couple of sections in order to fully understand this, fully understand the logic behind it. If you're curious about the SQL injection and you're coming from mobile application, mobile ethical hacking course, I suggest you do a quick research and then come back and watch this because I'm just going to go ahead and show you a very quick tool, a very quick way, to find out about the SQL injection vulnerabilities. So, what we're going to do, let's see what kind of endpoints do we have over here. We have a login, with  a username and password, and also we have a secret. After we log in, most probably we get a user token, like an authentication token, and using that authentication token we can get the secret back. As you can see if we come over here to the headers, as you can see there is an API authentication token, but we don't have that unless we log in. And to log in, there is a username and password. I'm just going to go ahead and give some random tests like test, test123, as you can see it says incorrect username and password. But we don't have any kind of other hint. In the previous examples we have come across in a situation like this, but then we had some data leakage scenario so we have found out some resources in our app. But right now this isn't the case, so I'm just going to go ahead and send this to Burp Suite. Here you go. Now I'm in the Burp Suite. Again, since I don't have any word list, since I don't have any users and password list, I'm just going to send this to intruder, but we're not going to brute force usernames and password. We're going to just go ahead and try SQL injection. In order to do that, I'm just going to clear out this selections because we don't need to change the PHPSESSID. Just click on the 'Clear'. We're just going to change the username and the password. So, in order to do that, of course just select the thing that you want to change and then edit like this. So, I'm going to do it one more time. Here you go. Make sure you don't change the PHPSESSID. So far, so good. Right now, since I have this, I have two different parameters. I have the username and I have the password. So, if I had one parameter, then I would go for a sniper. And we had two parameters before, I believe we went for pitchfork but this time we can go for something else. And let me show you what it is. We're going to go for something called battering ram. And in order to do that you can just choose it from the attack type. And we're going to give it on SQL list and we'll just grab the things and try them for the both of the parameters. So, why do we get these payloads? In fact, if you have the Burp Suite, not free edition, not community edition but pro version, you can actually just select it from this list. This list has something like SQL injection, this injection, that injection, different kind of lists embedded for us in the professional Burp Suite. However, that is not the case for the community edition. However, we can actually Google it out and just find that list or a similar list. So, that we can just copy and paste it from there. So, I'm going to go ahead and search for burpsuite intruder sql injection fuzzer; maybe txt or github something like that. So, people tend to put those kind of things in GitHub and we can easily find that list inside of any GitHub repository. You're going to see we will have a lot of options because I have done this before. So, I'm just going to go ahead and search for this. And here you go. I believe there is something wrong with my internet connection but here you go. So, we have a lot of results. I'm going to open every one of them. Not every one of them, actually a couple of them at least, so that we can see and compare what kind of things we should use. So, for the first one, I have a fuzzlist. You don't need to go for the same repository with me by the way. I'm just going one by one and trying to figure out the best one. I can share this SQL injection payloads with you later on. So, let's see. This one's no good. This one is actually a little bit complicated. So, I'm not going to go for that one. Let's see. Yeah, here we go. This is just one liner, I'm not looking for that one. Let's see this one. One entry. Okay, one entry. I'm looking at that one and there is something called quick_fuzz. Here you go. So, in the quick_fuzz there is a txt file and as far as I can see this is not only SQL injection but there's so much more but there is also SQL injection as well. Here you go, this is a good list. Why not we use it. As you can see, these are not related with the SQL injection, but I believe it starts right here. So, I'm just going to copy and paste this stuff into a txt. Of course again, if you couldn't find this, of course you can just pause the video and just write the URL on your own, like manually and just come to that file and copy what I'm copying right now, but I will just share it with the resources of this lecture. So, I'm copying this SQL injection part and I'm just going to paste it to a txt file on my desktop. And if you're using Mac you can open the terminal and go to desktop, like the cd desktop and just write touch sqli.txt. It will create a file for you, so that you can just open it and paste the things. Here you go. Now, this has been saved for me. Of course, if you're using Windows just create a txt file, like right click and say 'New txt file' or 'New text file'. So far, so good. So, I'm going to open the Burp Suite, and by the way, I could have just pasted over here but I had to save it so that I can share it with you later on.

Since I have pasted this list, I can deselect this  URL encodes these characters I believe, and since I saw that I remember we're still in the sniper, so we cannot do that. I'm just going to go for the battering ram. As I said before, it will just try this simple list for the both of the parameters. If we had chosen pitchfork like we did before then we would have provided two list, but right now I just want one list and I want them to try on the both of the parameters. That's why I have chosen battering ram.

So, I'm going to deselect this URL encode these characters and that's about it. So, what I'm going to do, I'm just going to start this attack and of course we're going to have to wait a little bit and as you can see we're getting some 500s, 403s. We're going to wait a little bit and since it has only 107 possibilities, I believe it's not going to be as long as we have waited before, so we can see the requests and responses immediately. And again we're just trying the SQL injections, and if you have watched the web pen testing course then now you have another way to try  SQL injection rather than SQL map as well. But if you're watching the mobile ethical hacking course then you might wonder the logic behind this. Again, I suggest you take my complete ethical hacking course and watch it from here or web pen testing course. Or you can just do like a real quick research in the Google because it's not very related to mobile ethical hacking. That's why I didn't put so much information or like a wide section inside of it. But over here now we need it to take a look at it so that's what we are doing. And by the way, I have just looked at a response and the response over here is that it says: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server." Great. So, some of the responses say that; not some of the responses saying incorrect but some of the responses saying different things. I believe we have to wait until this is finished and then we can just analyze everything. Here you go.

Everything seems to be finished for me. I just paused the video obviously in order to wait for it to be finished. But after it's finished, I can just sort it according to their status code and see the responses. We have come across a situation where we get some different messages like different syntax saying just find your own syntax or something like that.

So, as you can see there is a length column as well and we have 289s and 295s, so different lengths, even though we have the same status code, we have different responses. And over here some of the responses actually give us an authentication key like this. So, even though we have the same status code, sometimes we might take a look at the length of these responses as well to see different kind of things, different kind of responses. So, I'm just going to send one of these to repeater. So, this was the one where we got the success. It means that we got it. It means that we have used SQL injection and I'm going to have to turn off the interception. We used SQL injection to get into the database without even knowing username and password. So, I can copy this. I can copy this authentication key or I can copy this payload from here and just paste it in the postman, like this. For the username this and for the password this. And the single quotation marks are important so beware of that. Here you go. Once I send this, I get the authentication key. Now if I go to get secret and send this because I already have the authentication key. Here we go. We got the flag back. Now again, this lecture was not about SQL injection, like SQL injection 101. This lecture was about finding a quick way to see if we have a SQL injection vulnerability inside of the API. So, I hope you liked it. Let's stop here and continue within the next lecture together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.