How to hack an API: A walkthrough | Guest Katie Paxton-Fear

[00:00:00] Chris Sienko: Fact APIs. Those crucial, but insecure parts of nearly every app we use today are pretty hard to secure and for intrepid hackers, they can lead to big payoffs and big damage today on cyborg hacks. My guest Katie Paxton fair. Gives us a visual walkthrough of how an API on a shopping app works 

[00:00:17] Katie Paxton-Fear: for the API hacker like me, we love little mistakes. We love mistakes like that because that is exactly where you find vulnerabilities, especially if perhaps you're not necessarily, like, super technically minded. API hacking can be a really great introduction hacking more generally. 

[00:00:37] Chris Sienko: and how some trial and error with a couple of open source tools can lead to grabbing another shopper's personal info, and even pay for your own purchase with another shopper's credit card.

[00:00:46] Katie Paxton-Fear: I'm going to send this to a repeater and guess what I'm going to do? I'm going to change this seven to be a one Yes.

or not I could make a payment on somebody else's card. Aha.

you know it, I've got an order confirmation here, meaning that I have. 

[00:01:00] Chris Sienko: Skill with API hacking can strengthen your security skills and can put you on the path to becoming a bug bounty hunter yourself. Today, Katie sets you on the first step of that path. 

[00:01:10] Katie Paxton-Fear: they're like, I need to read this book, I need to watch all these videos. Honestly you would do better actually hacking something as soon as you can, because you will keep your skills a lot more sharp and it will teach you a lot more than any video/book/course ever will. 

[00:01:27] Chris Sienko: So don't miss today's episode of Cyberwork Hacks.

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started 

 

[00:02:24] Chris Sienko: welcome to a new episode of Cyborg Hacks. The purpose of this spinoff of our popular Cyborg podcast is to take a single fundamental question and give you a quick, clear, and actionable solution that As well as new insights into how to utilize InfoSec products and training to achieve your work and career goals.

Uh, today I'm happy to welcome back to the podcast, Katie Paxton Fair of Traceable, a bug bounty hunter at large, and perhaps best known by her YouTube name, Insider PhD. If you know her from there and you should go check her out. Uh, you know that one of Katie's great areas of expertise and passion is in hacking APIs.

Which of course our fast becoming recognized as a massive point of entry for hackers. So, uh, today I'm excited for Katie to give us a brief walkthrough of how API hacking works from the very beginning. So I'm going to get right into it, but first, uh, welcome. And thanks for being here, Katie.

[00:03:09] Katie Paxton-Fear: No, thank you so much for having me back.

[00:03:12] Chris Sienko: My pleasure.

So, uh, so Katie, I won't take too long with this because I want to get right to your magic. But if you could give a brief summary of what APIs are and why there's such a challenge in securing them.

[00:03:22] Katie Paxton-Fear: So, APIs are a type of application which, instead of being designed to be used by humans, are actually designed to be used by other computer systems. And because of this, it kind of creates this interesting problem, which is that these are fundamentally designed for computers to use, however, they are designed for humans to be able to read them. So you have this really weird difference where you have, you know, this is designed for computers, and it's written in something called JSON, which is like a very formal way of writing objects that computers can read really easily. it uses like regular English words all the time and one of the big challenges about securing them is because they're used to communicate with other computer systems, actually they're used very often for things like mobile apps where you have like An app front end, like an Android app, and there is a API in the back end that's actually kind of doing all the work, if you like.

[00:04:24] Chris Sienko: Okay.

[00:04:26] Katie Paxton-Fear: Now, because these encompass, you know, an entire app's worth of functionality, there are hundreds of something we call endpoints, which are pieces of code that do something.

[00:04:37] Chris Sienko: Yes. Okay. Mm hmm.

[00:04:40] Katie Paxton-Fear: application, maybe has like three features that could be 40 different API endpoints that could be 40 things you have to worry about.

And unfortunately, when you're doing that, it's really, really easy to make a mistake. for the API hacker like me, we love little mistakes. We love mistakes like that because that is exactly where you find vulnerabilities, especially if perhaps you're not necessarily, like, super technically minded.

You're more thinking about problem solving. API hacking can be a really great introduction hacking more generally.

[00:05:16] Chris Sienko: I love that. So, yeah, so I'm glad you emphasize the sort of problem solving nature of it, because I think that's such a important skill above and beyond just using the tools or just doing the processes or whatever. So I guess from here, I'm going to let you, Katie, share your screen and walk us through the basics of API hacking as you. 

[00:05:36] Katie Paxton-Fear: In this kind of theme of, uh, presenting here. Here's one I made earlier. Um, so my API hacking tool of choice is Burp Suite. And what Burp Suite lets me do is look at what my web browser is doing. So I'm going to go into the proxy tab and HTTP history. And you can see there's a bunch of here. When I refresh this page, we'll see. In here, everything that happens when that page is refreshed. So it's not doing any kind of hacking on its own. It's just showing me the information. It's showing me what my web browser can see. Now, obviously, me as a human, I see this in this nice little UI, and I can click on all the buttons and do stuff. the actual, like, Inside here, you can see we've got an API. got some kind of search for products, we've got some kind of quantity. Um, we know this is an API based because we can see calls to something like REST or API in it. And again, this is not necessarily like super technical stuff. This is just me seeing what my web browser can see. So when I go in here and I go into account I log into an account and I create a new account here and I register my account, by the way the password I chose here is testing123, so real big security there,

[00:07:18] Chris Sienko: The, the classics never go away, do they?

[00:07:20] Katie Paxton-Fear: exactly. And I can see here what my web browser is actually sending, because I only saw in that process a registration form and a login form, but actually quite a lot more happened. So we can see this request here. So this is showing me what my web browser sent, and this is showing me what the server sent back from it. So I can see here, this is a post request, which means there'll be some data in the bottom. And it's going to API slash users. Now, for an API endpoint, when we see post, any kind of post request to, API slash something, we can usually assume it's going to create something. So this is probably, where I created my account and if I scroll down here I can see, you know, here's the email I put in, here's the password, here's the repeat password, here's the security question and then here's the security answer I gave. On this side we can see what the web server sent back, so in this case a success status and then some data about like my role and stuff like that.

[00:08:28] Chris Sienko: Okay.

[00:08:28] Katie Paxton-Fear: is where the hacking element comes in. So my goal as a hacker is to change something on this side to make a big change on this side. And I wish that wasn't an oversimplification of what I'm doing.

That is genuinely what I'm doing.

[00:08:43] Chris Sienko: Wow.

[00:08:44] Katie Paxton-Fear: let's kind of dive into something a little bit easier. I'm going to add a product to my basket. So I'm going to add it. And I can see here a GET request for REST basket 6. So that is the basket ID there. And I can see it's successful. And here's what's in my basket. Now, if I'm user ID 6, What does user Id want have in their basket? Well, what we're gonna do is we're gonna right click on this. We are gonna send it to repeater. Now, repeater is a tool that lets me edit this. I can edit it in any way I want. I'm not going to, because I'm gonna edit it in a very specific way, but I can make whatever changes and I'm simply gonna take this six and change it to a what? I'm going to press send and I'm going to see what comes back as you can see in the background. Um, we got some little, uh, uh, celebrations here because I solved one of the challenges.

[00:09:41] Chris Sienko: Aha.

[00:09:42] Katie Paxton-Fear: can see that I've managed to see the basket of user ID one. without being that user myself. Now, this is a security flaw I see in real applications made by people who are paid more money than I am, their job compensation, make these mistakes. And literally, it is as easy as going, Okay, I'm going to change that 6, which is my ID, to be a 1. Any single time you see an ID in any kind of API, like any kind of number, you always want to change it to a different number because that is a very, very good sign that if it has been programmed incorrectly, that you can cause these kind of really easy security vulnerabilities. And then, honestly, what most of API hacking ends up being after that is going, okay, so I'm going to change this. You know, I'm gonna check out here. I'm gonna add an address and I'm gonna test that same issue in multiple different places because if we have a look here, we can see that the IDs are used fairly often. Um, you can see we've got API products one. We've got, um, if we add an address here, uh, great. I'm just going to put in any random data here that

[00:11:08] Chris Sienko: Hmm.

[00:11:09] Katie Paxton-Fear: me continue. I'm going to select my address. I'm going to choose my delivery speed. I'll see here, you know, in this one I'm getting API addresses 7, so I'm going to go into there, send to repeater and change that 7 to a 1. see whether or not it works. Now you can see here that actually the reply from this has been an error that I'm doing some kind of malicious activity.

[00:11:37] Chris Sienko: Ah,

[00:11:37] Katie Paxton-Fear: do have, like, um, any kind of, like, API security, something like this will appear. it's just a case of taking this concept and replicating it multiple times, because in every single resource, you can create a new resource, you can edit an existing resource, you can read a resource's information, and you can delete one.

So think you can create a new user, you can read your username, your avatar, whatever, you can update your user, update your email address, update your password. you can delete your user. shouldn't be able to delete other users. Makes sense, kind of very clear

[00:12:20] Chris Sienko: Hmm.

[00:12:21] Katie Paxton-Fear: Now all you need to do is copy that idea do it 300 times. Because that is, API testing, it's about volume and getting through and this is actually why APIs end up being so insecure because they are time consuming to

[00:12:38] Chris Sienko: Yes.

[00:12:39] Katie Paxton-Fear: go and hack or secure it. Obviously if you're a malicious actor it's all you have is time, especially if you're looking

[00:12:46] Chris Sienko: Yeah.

[00:12:46] Katie Paxton-Fear: finances. Um, so they have, like, all the time in the world, they have the time to go into an API and, like, properly exploit it, and companies don't usually. But me as a bug bounty hunter, this is where I find my niche of, okay, you know what, you cannot, be bothered to go through 300 API requests, but I can, I will pick up 1, 000 per floor I find like this. And

[00:13:12] Chris Sienko: Yeah.

[00:13:12] Katie Paxton-Fear: this is real bugs that I found in real software. So the next thing I'll do as I'm testing these is just try and, um, Literally, try and just do stuff with payment information, uh, with payment details. The main thing I'm going to try and do is skip over actually paying for something.

[00:13:42] Chris Sienko: Hmm.

[00:13:43] Katie Paxton-Fear: at what I've got in front of me and saying, Okay, do I really need to provide? Um, my card details. Can I skip over that? So here you see, uh, down here, we've got the checkout here. can see we've got some coupon data, which is empty. got a payment ID and address ID and delivery method. So again, I'm going to send this to a repeater and guess what I'm going to do? I'm going to change this seven to be a one

Yes.

or not I could make a payment on somebody else's card.

Aha.

you know it, I've got an order confirmation here, meaning that I have. But let's

[00:14:21] Chris Sienko: Oh my gosh.

[00:14:22] Katie Paxton-Fear: by going into here, going into, uh, track order. Send this one to repeater. And I'm just replacing this order ID with the one it just gave me. Pressing send. And I can see here that, um, I've managed to make an order with a, um, a, uh, uh, random payment ID that isn't one that I necessarily control. And again, wish I was joking, I have found vulnerabilities like this

[00:14:54] Chris Sienko: Wow.

[00:14:55] Katie Paxton-Fear: like, the US military, in social media, um, platforms, In AI products, this is the fundamental part of API hacking. This is why it's more about what you can see in front of you, rather than trying, say, lists of payloads. You're going, okay, this is taking, you know, a payment ID, which I had to create, and I saw myself create that payment ID. using an address ID and I'm using a delivery method. Well, what happens if I make a payment from somebody else's card? What happens if I, say, send it to somebody else's address? Or what happens if I use a coupon that may not be that, that? What if I could? Now, how good you are at API hacking is far more about how creative you can be answering that question than it is about any kind of technical skills.

[00:15:48] Chris Sienko: Okay.

[00:15:49] Katie Paxton-Fear: And like 90 percent of all hacking I do looks like this 100 percent just this constant line

[00:15:55] Chris Sienko: Yeah. Yeah. Yeah. No, that's, uh, that's amazing because, uh, yeah, I think that's not what everyone necessarily thinks of when they think of this as, as there being, there's a salute, you know, when you see it in the movies, there's a solution. I just need to find the right code or I need the right, but yeah, here you're, you're basically making, it's like a choose your own adventure.

You're, you're just going to keep trying different things until something, uh, slips through, I suppose.

[00:16:18] Katie Paxton-Fear: Yeah, and I mean, when I speak to, um, my mum, for example, I showed her how to do it. And my mum is scared of the start menu. Like,

[00:16:27] Chris Sienko: Mm hmm.

[00:16:28] Katie Paxton-Fear: hit the Windows key on her keyboard and thought she's broken a computer. She does not know how computers work. But actually when I sat down and I kind of walked her through it and I was doing the kind of driving, if you like, she was the

[00:16:41] Chris Sienko: Mm

[00:16:42] Katie Paxton-Fear: but even she was able to go and say, okay, what if I tried to delete somebody else's post?

What if I tried to edit somebody else's, um, I don't know, photo. could even do that without really understanding, you know, what an API even was, I mean, it helps to look at this JSON and not be afraid of it. Yeah. not actually that hard. I

[00:17:07] Chris Sienko: hmm. Mm hmm.

[00:17:07] Katie Paxton-Fear: overthink it a lot about like how difficult hacking is when actually quite a lot of it is just taking a step backwards and thinking, okay, how could this be broken?

[00:17:18] Chris Sienko: Amazing. Okay. I have a couple last questions here. You mentioned a couple of, um, tool names that even, uh, a non technical person like myself recognize burp suite and repeater and stuff like what, what kind of equipment tools are set up?

Do you need to do this kind of thing at home? Is this mostly can be done with open source tools and techniques? Is there a sort of a cost of startup to sort of really do this, uh, on a regular basis? Oh,

[00:17:42] Katie Paxton-Fear: can spend money on this. Um, and I think that's the case for quite a lot of hobbies. You can definitely spend quite a lot of money. Um, a lot of people ask me like, what kind of laptop do I need? You really don't need anything. Um, I use a Mac. Lots of other people use a Mac because it's a very nice laptop. But you don't need to use a Mac. You can just use a Windows computer. A lot of people will use Burp Suite Professional, which is about like 500 pounds, 300 ish dollars. You don't need that. I use the free version of Burp and I get enough in bounties to pay for the paid version of it. you can spend money on, you know, other tools.

I mean, even actually thinking about it, I've heard of people who've done hacking, like, from their phone they're in, like, India and they don't have access to a computer, but they really are interested. So you really don't need anything super specialist. Certainly, you need to be able to install programs, um, because burp is like, probably is going to need admin access. But that's about it. Um, you don't need anything else. And I honestly, my recommendation would be don't spend any money until you've earned money doing it. Because

[00:18:57] Chris Sienko: Yeah.

[00:18:58] Katie Paxton-Fear: if you have those pro tools, you probably don't even know how to use them yet, because you haven't got that far in your journey to know what your

[00:19:06] Chris Sienko: Yes. Yeah. No, you can always tell the amateur carpenters because they have like way too many tools that are completely, you know, still in the box and what have you. It's like, yeah, good carpenter has like a hammer and a saw and they're completely worn to a nub.

[00:19:21] Katie Paxton-Fear: Don't look at my garage because there are tools in boxes.

[00:19:26] Chris Sienko: Oh, oh, same, same. Oh, I'm, I speak from experience, not from a, from allegory. Um, so, so yeah, I guess to sort of extend, extend on that for viewers who, who find that they like doing this type, type of hacking and have an affinity for it. Like, what are some things they can do next? I guess in this case, I want to sort of ask you about how you take this kind of skill and apply it to, like you said, bug bounty hunting.

[00:19:49] Katie Paxton-Fear: So, step one is actually hack stuff. 

A lot of people get caught up in a learning cycle where they're like, I need to read this book, I need to watch all these videos. Honestly you would do better actually hacking something as soon as you can, because you will keep your skills a lot more sharp and it will teach you a lot more than any video/book/course ever will. There's no like critical knowledge that you need. Um, fundamentally, learn how to use burp, learn how to use repeater. That's kind of the first step. Second step is get yourself either on a CTF platform like TryHackMe, um, Hacker101, Something to just help you practice. I was using OWASP Juice shop.

That's another good option too just so you have some practice and kind of, okay, here's the kind of theory behind finding these vulnerabilities. Step three is get yourself on a bug bounty program and look at a real application because a real application does not send like three requests that you can see like little numbers in. nicely. It sends 300 requests, half of them are advertisements, the other half are tracking cookies to try and see what you're clicking on. Actual applications are so, so noisy, and there's a skill in looking at that and trying to filter out, okay, what actually does something on this application?

My tip is to use something you already used before. So if you're familiar with, using something like uber. Get started on uber. That's where I got my start. If 

you're familiar with tumblr, get started on tumblr. If you're already familiar with it, you can start to kind of notice that functionality quite a bit, then just look at an application and try and map that functionality to API calls. So, okay, this is me, you know, ordering my Uber or putting in my destination address or it connecting me to a driver. If you can start to make that jump between the like function that you see and the API requests, bear in mind, there may be multiple API requests per actual, like, functionality, 

you'll be able 

to

start to sift through that noise.

And then honestly, it's more of a kind of process of learn something, try it, fail, learn something, try it, fail, and that kind of learning process going forward.

[00:22:20] Chris Sienko: Yeah. The very best learning process I can think of. So, oh, Katie Paxton fair. Thank you so much for walking us through the API hacking process. I think I understand this better than I ever have. So, uh, it's a dumb, dumb, like we can do it. Uh, our smart listeners are going to absolutely get a lot from it. So thank you very much.

[00:22:35] Katie Paxton-Fear: Yes, absolutely. Thank you so much for having me.

[00:22:39] Chris Sienko: My pleasure. And as always, thank you to our, our wonderful smart listeners for watching cyborg hacks. If you enjoyed this video. Please tell someone about it. I think there's a lot of people who are going to want to know all about this. And what a great, uh, concise introduction to this concept here. So I tell a friend, tell a colleague, tell your social media connections.

Word of mouth is still the real way to make a community like this grow. Uh, and if you haven't done so yet, please subscribe to our podcast feed and our YouTube page. You can go to infosecinstitute. com slash podcast, see a full list of past guests. Or if you just type in cyber and work in InfoSec and your preferred search engine, you YouTube, whatnot will come up pretty quick, uh, and sign up for notifications or auto download of episodes because Cyborg Hacks is coming out every other Tuesday, every other Thursday.

Hey, with bite sized answers to your questions. So this is Chris and for, uh, for Katie, until next time, keep learning, keep developing your skills and keep having fun. Take care now.

[00:23:32] Katie Paxton-Fear: Bye, everybody.

[00:23:34] Chris Sienko: Bye bye.