Hacking APIs: Building the lab
Doing is one of the best ways to learn, so if you want to try to exploit or find vulnerabilities in API/Endpoint, you should practice.
So you need tools, api/endpoint to practices and free time ;)
Tools
To test and find vulnerabilities in API/endpoint we need a client to sent request with different types of HTTP Method and format (JSON) to API/Endpoint.
Postman
This tools is used by developers to test API/endpoint, but we can use it to send HTTP request and intercept it with Burpsuite. You cand download it
Note: The Install postman is out of scope, could be 101 Postman article ;)
First you need to set properly the proxy (Burpsuite)
Click on settings and following the steps:
- Click on Proxy
- Enable “Use Custom proxy Configuration”
- Set the IP address and port that you are using in Burp suite (By default if you want)
After had been set properly, execute burpsuite and send one request from Postman through burpsuit to API/Endpoint
You can see the request and response in HTTP History on Burpsuite.
API/Endpoint
There are some project related to API/Endpoint that you can download them from github, most of them working with docker which is good for us.
We will use crAPI from github, here is the link:
Install craPI following the steps ;)
To interact with API,use port 8888, http://localhost:8888. First you need to create one username and confirm it via email. To do this you can utilize Mailhog service which is accessible over port 8025 (http://localhost:8025)
To start crAPI.
Does not matter what kind of linux are you using, is the same command to run in docker, move to directory where crAPI was downloaded.
sudo docker-compose up
crAPI running over port 8888
Create username and click on “Signup”
Confirm it via email.
Copy the VIN and PIN code from the email, after that login and confirm it.
We are ready to play with API/Endpoint! ;) see you in the following post!
