Exercise 42: Sensitive Data Exposure in API Requests

Objective

Learn how sensitive data can be exposed through insecure API requests and how attackers can intercept this data. Understand how to mitigate this risk by securing API communications with HTTPS, token-based authentication (OAuth), and encrypting sensitive data.

---

Scenario

You are assessing a web application that communicates sensitive information (e.g., passwords and credit card details) through API requests over an insecure HTTP connection. Due to the absence of encryption and secure authentication, attackers can intercept and exploit this data.

---

Lab Setup

Prerequisites:

• Basic knowledge of APIs, HTTP requests, and web security.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• Tools like Burp Suite or Wireshark for traffic interception.

Step 1: Create the Vulnerable API

1. PHP Script for Insecure API Endpoint
   • Create a file payment_api.php: <?php header("Content-Type: application/json"); if ($_SERVER['REQUEST_METHOD'] === 'POST') { $card_number = $_POST['card_number']; $cvv = $_POST['cvv']; $amount = $_POST['amount']; $response = [ 'status' => 'success', 'message' => "Payment of $$amount processed for card ending in " . substr($card_number, -4) ]; echo json_encode($response); } ?>
2. Running the Application
   • Start the Apache server.
   • Place payment_api.php in the web server’s root directory (htdocs for XAMPP).
   • Use curl to simulate API requests: curl -X POST http://localhost/payment_api.php -d "card_number=4111111111111111&cvv=123&amount=100"
   • Expected Result: { "status": "success", "message": "Payment of $100 processed for card ending in 1111" }

---

Exploitation Steps

Step 1: Intercepting Sensitive Data

1. Open Wireshark or Burp Suite.
2. Capture network traffic while sending the API request.
3. Expected Result:
   • Sensitive data such as the credit card number and CVV is visible in plaintext.

Step 2: Exploiting Exposed API Endpoints

1. Use Burp Suite to modify the intercepted request.
2. Change the amount or card number in transit.
3. Expected Result:
   • The server processes the modified request without verification.

---

Solution and Prevention

Problem Analysis

• The API transmits sensitive data over HTTP without encryption or authentication.

Fixing the Vulnerability

1. Enforce HTTPS for Secure Communication
   • Configure the server to use SSL/TLS: RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2. Implement Token-Based Authentication (OAuth)
   • Replace basic authentication with secure tokens: $headers = apache_request_headers(); if ($headers['Authorization'] !== 'Bearer secure_token_123') { http_response_code(401); echo json_encode(["error" => "Unauthorized"]); exit(); }
3. Encrypt Sensitive Data Before Transmission
   • Encrypt data using AES-256 before sending: $encrypted_card = openssl_encrypt($card_number, 'aes-256-cbc', 'encryption_key', 0, 'iv');
4. Input Validation and Rate Limiting
   • Validate inputs and limit request frequency to prevent abuse.

---

Testing After Fix

1. Resend the payment request over HTTP.
2. Expected Result:
   • The server redirects to HTTPS, and sensitive data is encrypted.
3. Attempt to access the API without an authentication token.
4. Expected Result:
   • The server responds with a 401 Unauthorized error.

---

Conclusion

In this lab, you exploited Sensitive Data Exposure by intercepting insecure API requests containing sensitive information. You also learned how to mitigate this risk using HTTPS, token-based authentication (OAuth), and encryption of sensitive data.