API Pentesting
What is API Security?

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.


Hi, within this section, we're going to focus on API Security. So, we're going to see what kind of vulnerabilities that we can find inside of APIs and also how to exploit them and also how to secure them as well. So, you can gain bug bounties out of those vulnerabilities and also protect your own APIs as well. So, we're going to use a real life example for that by the way it's called vapi or V-A-P-I vulnerability, vulnerable API. I'm going to tell you all about it and I'm going to show you how to set it up, don't worry about it. But right now before we start, you have to know what an API is. So, API stands for Application Programming Interface. It's kind of a program or it's kind of a software, when we do a request, when we send some parameters or send some requests to it, we get a response back and we can use it inside of both the web applications or websites and also mobile applications as well. So, when we have a vulnerability inside of our API, it actually affects the website or the web application, mobile application, it affects everything. So, it's a very crucial step or it's a very crucial thing to secure the APIs and that's what we're going to focus on during this section. In order to let you imagine or in order to let you show what an API is, I'm going to demonstrate a few examples but just so you know that this section will be available both on web application pentesting course of mine and also mobile pentesting course as well because it actually affects both of them. So, let me talk about this VAPI or vulnerable API or vapi thing. So, this is a GitHub repository as you can see and somebody named roottusk created this vapi or VAPI in order for us to understand the vulnerabilities inside of the API and practice them. So, we are thankful to roottusk. So, this is an open source project and we're going to actually install this on a real server and we're going to do a real web pentesting or a real API pentesting in a real life example. so I found out this roottusk guy has created this very magnificent API CTF. Then I tried to solve it and I just decided to show it to you guys so that you can understand it in a better way. So, let me show you what a JSON format is. So, if you're a developer you probably know this, okay? You don't have to open Google or something like that, I'm just showing you this. So, this JSON format thing is some kind of format that we get the information back from the API. It doesn't have to be necessarily JSON, it can be XML and stuff like that but it generally is. So, maybe you should know what a JSON is. It's just JavaScript Object Notation, so it's kind of a notation, it's kind of a syntax, and as you can see this is an example JSON where we see the ID, name, picture and stuff like that. So, when we send a request to the API that we are going to be installing on our server, we will get a response like this when we do a request to that server. So, maybe we can do a request to get back to users, maybe we can just do a request to get back the products of an e-commerce website, it doesn't matter. And I believe you're going to understand perfectly why we are doing this section once we get to start it but before we start it, I believe I should show you some real API example from a real world example so that you can understand it in a much better way because they are very critical, okay? They are very critical so before we install the vapi I'm going to show you something from and you can actually see this from any website but I'm just going to show it to you from And in order to do that, I just opened the and I can see my own courses over here recommended to me for some reason and I'm going to open the Burp Suite. If you don't know what a Burp Suite is, don't worry, you're going to learn it in a couple of lectures, but if you've got the web pentesting course, of course, you know it. So, Intercept is on, Burp Suite is a tool that we can capture the packets as we are sending them. So, what I'm going to do, I'm going to click on one of the courses on Udemy and before it sends the message or sends the request to the server, I'm going to capture that inside of the Burp Suite so that we can actually see what are we sending to the server or what is the endpoint, what are the parameters and stuff? So, let me show you what I mean. I'm going to click one of those courses and here we go. It didn't capture the packet because I couldn't change, I forgot to change the proxy. Right now I change the proxy. If you don't know how to change the proxy, don't worry about it, I'm going to show you later on within this section. And once I change the proxy of the parameters it cover the packet over here. As you can see it is doing a GET request to this website. It's not an API right now, it's course/the-complete-mobile-ethical-hacking-course, so this is the address of my course in Udemy. Okay, that is cool but that is not what I'm looking for. So, this is not an API, this is just a regular website. If you just copy and paste it and just paste it in your browser and go to it, you will see what I mean. What I'm going to do I'm going to disable the proxy one more time and go back to you and refresh it. Right now without going into the course itself, I'm just going to turn it on and turn the proxy on and the Burp Suite on as well. I'm going to click it on one more time. So, once I click it it will capture the packet and here we go. Right now it's doing a post request to this API and if you look at the URL, it's actually api-2. So, this is version 2, visits and something like that. It's doing a funnel page API call. What does it mean? Because once I clicked on the course, it took me to a site and once I capture the packet over there, it actually showed me a URL. But right now without going into the URL, once I click on the one of the icons on the main page, it actually does an API call because it's actually sending some parameters to that funnel log state or funnel log API, funnel log endpoint and getting back some information most probably about me so that it can understand what kind of cookie that I'm using, did I purchase a course before from Udemy. So, should it show some kind of low pricing or high pricing to me, okay? So, this is an API of Udemy and as you might imagine, Udemy uses this inside of its website, web application and also mobile application as well. Okay, that was a real API but right now I believe we have to focus on this roottusk vapi or VA PI or vulnerable API, so let's see the roottusk. He's Tushar Kulkarni. Thank you very much Tushar for sharing this with us. I'm going to show you how to install this on a real server but before that, I need to show you something else. I need to show you OWASP top 10. So, if you got the web pentesting course you already know what an OWASP Top Ten is. It's the most vulnerability or most common vulnerabilities that we come across in the web world, but this time I'm going to show you OWASP Top Ten API version, okay? So, as you can see if you google for OWASP Top Ten, you will see it and we have actually seen every one of those inside of web pentesting course, but also there is a top 10 for APIs as well. It turns out that it's critical for us and it's critical for OWASP as well. They gather information, they gather data for the most common vulnerabilities in the APIs as well. So, what happens is that the VAPI that we're going to be solving, actually got this data from this list. So, let me show you what I mean. I'm going to search for OWASP Top Ten API and we will see something like very similar to this. Maybe you have seen this before. This is Top 10 Web Application Security Risks. Okay, like injection or the broken access and stuff, so you know all of this stuff or maybe you have heard before. But if we go to Google and search for OWASP top 10, but OWASP API top 10 like this, okay? Then we can see the actually API security list as well, the actual security lists as well. So, I'm going to open this in a new tab and here we go. So, it actually starts with telling us what is an API security. The time that I recorded it saying that Top 10 2019, it's not actually updated every year, okay? I'm recording this like something early 2022 but it hasn't been updated yet, but as you can see we have a lot of misconfigurations, improper management, logging, monitoring and everything over here, we have a lot of vulnerabilities. And I can assure you once it gets updated, okay? Maybe next year, many of them won't even change, okay? So, maybe a couple of new ones will come to the list but the idea will still be the same. So, this vulnerable API actually gets this data, okay? The roottusk actually looked at that list and prepared the challenge, prepared the CTF in a way that we can understand everything on that list. So, it's a great opportunity for us to solve this in order to understand the API security. But it happens that if we install this on a real server, then will be much more realistic and it would work in a much better way. So, what I did, I forked this, I put it on my own GitHub. As you can see you can reach it via Pause the video if you like and just copy and paste the stuff and go into there. I forked this by the way because I don't want you to get affected by the future updates. So, if you come over here and clone this or you can just download the zip in a way that you want. Just download the zip on your own machine, okay? We're not even going to use that for installing on the server but we're going to need some resources on that folder that's why I'm telling you this. Just go to this website, and download this. Don't worry about the server configurations and stuff, I'm going to show you in the upcoming lectures, but right now, all you got to do is just download this folder and be ready for the next one.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.