Exercise 32: Insecure API Usage and Insecure Communication

Objective

Learn how to exploit Insecure API Usage and Insecure Communication by interacting with poorly secured APIs to access or manipulate sensitive data. Understand how to secure APIs through authentication mechanisms, encrypted communication, and access controls.

Scenario

You are testing a web application that exposes a REST API for retrieving user data. The API lacks proper authentication and is accessible over an unencrypted HTTP connection, making it vulnerable to unauthorized access and data interception.

Lab Setup

Prerequisites:

• Basic knowledge of APIs, HTTP protocols, and web security.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• Tools like Postman or curl for API testing.
• Wireshark or Burp Suite for network analysis.

Step 1: Create the Vulnerable API

PHP Script for Insecure API Endpoint

Create a file api.php:

<?php
$users = [
    ["id" => 1, "username" => "alice", "email" => "[email protected]"],
    ["id" => 2, "username" => "bob", "email" => "[email protected]"]
];

if (isset($_GET['id'])) {
    $id = $_GET['id'];
    foreach ($users as $user) {
        if ($user['id'] == $id) {
            echo json_encode($user);
            exit();
        }
    }
    echo json_encode(["error" => "User not found."]);
} else {
    echo json_encode(["error" => "No ID specified."]);
}
?>

Running the API

• Start the Apache server.
• Place api.php in the web server’s root directory (htdocs for XAMPP).
• Access the API via http://localhost/api.php?id=1.

Exploitation Steps

Step 1: Accessing Sensitive Data Without Authentication

Open Postman or use curl to make a request:

curl http://localhost/api.php?id=1

Expected Result:

The API returns user data without any authentication check.

{
    "id": 1,
    "username": "alice",
    "email": "[email protected]"
}

Step 2: Intercepting Unencrypted API Traffic

1. Use Wireshark or Burp Suite to monitor network traffic.
2. Capture a request to http://localhost/api.php?id=1.

Expected Result:

• Sensitive data is transmitted in plaintext, visible in the network capture.

Step 3: Brute-Forcing API Endpoints

Use a script to enumerate user IDs:

for i in {1..5}; do curl http://localhost/api.php?id=$i; echo; done

Expected Result:

• The attacker can enumerate all users without restriction.

Solution and Prevention

Problem Analysis

• The API is accessible without authentication and uses unencrypted HTTP communication.

Fixing the Vulnerability

Implement API Key Authentication

Modify api.php to require an API key:

<?php
$apiKey = "secureAPIkey123";

if ($_GET['key'] !== $apiKey) {
    header('HTTP/1.1 401 Unauthorized');
    echo json_encode(["error" => "Unauthorized access."]);
    exit();
}

$users = [
    ["id" => 1, "username" => "alice", "email" => "[email protected]"],
    ["id" => 2, "username" => "bob", "email" => "[email protected]"]
];

if (isset($_GET['id'])) {
    $id = $_GET['id'];
    foreach ($users as $user) {
        if ($user['id'] == $id) {
            echo json_encode($user);
            exit();
        }
    }
    echo json_encode(["error" => "User not found."]);
}
?>

Use HTTPS for Secure Communication

Install an SSL certificate and configure the server to force HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Rate Limiting and Throttling

Prevent brute-force attacks using rate limiting:

Implement middleware or server configurations (e.g., ModSecurity, NGINX rate limiting).

Use OAuth 2.0 for Secure API Authentication

Implement token-based authentication for stronger security.

Input Validation and Sanitization

Validate input parameters to prevent injection attacks.

Testing After Fix

Attempt to access the API without the API key:

curl http://localhost/api.php?id=1

Expected Result:

The API responds with:

{
    "error": "Unauthorized access."
}

Attempt to access using HTTPS:

curl https://localhost/api.php?id=1&key=secureAPIkey123

Expected Result:

The request succeeds over HTTPS, and sensitive data is encrypted in transit.

Conclusion

In this lab, you exploited Insecure API Usage and Insecure Communication by accessing sensitive data without authentication and intercepting unencrypted traffic. You also learned how to mitigate these risks using API authentication, enforcing HTTPS, implementing rate limiting, and securing communication channels.