A presentation given by Katie Paxton-Fear, API Security Educator, Traceable AI, at our 2024 Austin API Summit, March 12-13. Session Description: Have you ever wanted to be the villain or anti-hero? In this talk, we'll cover how to hack APIs, with permission, of course. First, we'll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I'll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.

1. I’m An API Hacker, Here’s How
To Go From Making APIs To
Breaking Them
Katie Paxton-Fear
API Security Researcher
Traceable

2. About
Katie AKA InsiderPhD
● PhD in Cyber Security / AI
● Occasional hacker and content creator
● Found vulnerabilities in software you probably
use every day
● Work at Traceable doing API security education

3. Neopets to Now
3

4. API Hacking
● A lot of people will tell you that API hacking is a
specific skill
○ Myself included
● It’s really just thinking through how to abuse the
business logic or permissions of an API
● Everything else is just tricks to do it faster

5. Find Endpoints
Understand
what the
application does
What are the
‘no’s
Test if that no is
a yes
Write it up so
someone else
can understand
it
Stages of Hacking

6. API hacker's toolbox

7. Editing Requests
Postman Burp
Use whatever you feel comfortable using!

8. Broken Object Level
Authorization
Broken
Authentication
Broken Object
Property Level
Authorization
Unrestricted
Resource
Consumption
Broken Function
Level Authorization
Unrestricted Access
to Sensitive
Business Flows
Server Side Request
Forgery
Security
Misconfiguration
Improper Inventory
Management
Unsafe consumption
of APIs
API Top 10
`
` `

9. ACCESS CONTROL BUSINESS LOGIC INFORMATION
DISCLOSURE
Common API issues

10. Why?
● These vulnerabilities are hard to run a scan
to find
○ They need the context of what an API does and
how they work!
● Frameworks have dramatically reduced
injection-type vulnerabilities
○ They’re still bad just less common
● Usually caused by simple mistakes
○ Even sometimes a single line of code

11. What am I actually doing when I am hacking?
Identifying endpoints I think might be vulnerable
Making small changes to the requests to add a malicious element
Okay this endpoint
lets me input a review
– I should look for
injection vulns
I’ll start by testing
XSS

12. What am I actually doing when I am hacking?
Seeing if it worked
Going back to the API and trying something else…
Until it works!
The review
endpoint definitely
isn’t vulnerable to
XSS
But the basket
endpoint has a
pretty clear BOLA!

13. My bugs aren’t complex
13

14. I’ll never be on the list
14

15. It’s the little things
15

16. Sometimes only missing if statements
16

17. ● Everyone in this room eats, sleeps and breathes
APIs in one form or another
● YOU know far more about APIs than the
average API hacker
● You don’t need to buy a fancy course
● I promise these are vulnerabilities you can find
● Let’s talk about some of my 1337 Hax0r findings
If you know APIs you can do API hacking

18. Crud In Action

19. Edit Form
SUBMIT
403 ACCESS FORBIDDEN

20. What if it’s private???

21. Ecommerce

22. Doing math
$1.60 * 3 = $4.80

23. Shopping in 2023

24. Negative numbers
Add
$59.99
$59.99
$59.99
$-59.99
= 3 Furby’s for the price of 2
-

25. Doing math
$1.60 * 3 = $4.80
$1.15 * -2= -$2.30
$4.80 + -$2.30 = $2.50

26. Order Successful!