Endpoints Analysis
When the API documentation is not available, we have no choice but to create our own collection. The objective is to collect as much request as possible and learn about how to interact with the API. We can manually create our collection using Postman or use mitmproxy2swagger.
Reverse Engineering an API
Postman proxy
Create a Workspace
In Postman, we can create a workspace for saving our setting for later use. A free account is needed to create a workspace.
We can create a Collection. A Collection is a set of API requests.
At the bottom right of the Postman dashboard, the Capture requests
button can be used to intercept the traffic and help us build our own collection based on the intercepted requests.
We also have to click on Enable proxy for our traffic to be proxied through Postman. The port 5555 is the port the Proxy Postman is set.
Then, we can visit the web application in our browser and set up Foxy Proxy on port 5555. The objective now is to click on every single functionality and features of the web application to capture as much requests as possible. The web application, and thus the underlying API, should be covered entirely when testing.
In the Proxy debug session tab, we can observe that we collected a lot of requests. We can stop the proxy and then select all request to add them in a Collection.
From there, we have the ability to rename all requests and organize them within folders. We might want all requests that are alike or related to a same function grouped together. We also want to remove all junk requests that are not related to the API. This manual method can take long, but is useful if no documentation is provided. It is also a simple method if we want to only focus on specific methods.
Mitmweb
Installation
On your Linux machine install and start mitmproxy.
Mitmweb needs Burpsuite to work. Install BurpSuite and configure your proxy if your VM is not on localhost. Then, in Firefox, uses the BurpSuite proxy.
mitmproxy starts a proxy on localhost port 8080. Since our VM is remoted, we have to forward this port and use Foxy Proxy to download the mitm certificate. Stop Burp Suite, since it use the same proxy port.
Access mitm.it in your browser set FoxyProxy with an HTTP proxy to 127.0.0.1 8080
(same Configuration as the Burp suite proxy).
Install the certificate .pem
for Firefox.
We can then navigate to the web application. All our traffic will pass through the mitmproxy on port 8080 and all our requets will be saved. Keep the FoxyProxy Burp Suite configuration when browsing the web site. To view our requests, we can check the web console hosted on http://127.0.0.1:80081
.
Once we have explored all options and features of the web application, we can download all captured traffic in a flow document.
The tool mitmproxy2swagger will be used to transform our traffic into a Open API 3.0 YAML file that could be later import as a collection in Postman.
The command below transform the flow documents into a spec.yaml
file.
It is normal to see that some request does not respond.
Then, we need to review the spec.yaml
file in order to identifiy if too much requests have been removed. We want to keep all requets that are relevant. We can remove the ignore:
term in front of the endpoints we want to keep. We want to keep the ignore:
in front of all requets that does not seem to be API requests.
Now, run mitmproxy2swagger a second time against the spec.yaml
file edited. Add the --examples
flag for enhance documentation.
Swagger Editor
Import the spec.yaml
file in the Swagger Editor to visualize the documentation that has been created.
Below is shown an example of how the Swagger documentation is formatted for a specific request. We can identify whether or not parameters are required for this specific request, the media type, the status code returned and the content of the response. At that point, we can look into each request and gain a better understanding of how the API works.
Look for sensitive information within the requests and pay attention to those requiring user input.
Postman
We can also import the spec.yaml
file into Postman to import a new collection. All request will be imported in Postman already organized.
Editing Postman Collection Variables
It is possible to set variable in Postman which can be used in all requests sent to the server. For example, we can set the baseurl
as a variable to point to the API server where our requests will be sent.
Editing Postman Collection Authorization
The Authorization tab aim to set the proper authorization method to make authorized requests to the API. All subsequent made to the API will use this method of authentication.
When authenticating successfully, the crAPI web application will return a token that we will copy and paste in the Token field. Then, click Save.
Excessive Data Exposure
Excessive data exposure arrives when the API returned to the end user much more information that is needed and some of which can be sensitive. From the web application front-end perspective, some information might not be displayed, but when reviewing the response returned by the server with Postman or Burp suite, we might observe that much more information is returned than what has been requested. Pay attention to information that is returned by the server and can be valuable for an attacker.
An API request is made each time a visitor click on forum post: GET /community/api/v2/community/posts/:posid
Although not displayed on the client interface, when inspecting the API request using a web proxy, we can observe that the complete information related to the account of the author of the forum post is returned to the end user.
Check also for:
Verbose error message: can reaveal some information about the framework and technologies in use.
Business logic flaws: do the contrary to what the documentation ask you to do.
Inspect administrative requests. Test administrative functionalities as an unauthenticated user, low privilege users, and then from a authorized user.
Last updated