How your API might be exposing everything about your server, it's host, and it's users

Today I want to talk about very serious security concern, which is still very often present in today's digital landscape — API vulnerabilities.

I remember my 1st real, full pentest — not just found these vulns and told the guy "X, Y, and Z vulnerabilities are present — here are the payloads to see for yourself." — but a full pentest, with report including recommendations, steps to reproduce, impact, etc…

Now, why did I mention it? Because since the very beginning, I've noticed that the APIs are often left vulnerable — either by default, or by fuzzing, or by causing mistakes, an attacker can retrieve a lot of sensitive information — from the host's OS to number of users, and in some cases, even their full "dossier" — including everything about those people, that the server knows about them.

Now, as aforementioned, the common ways I've came around vulnerabilities in the APIs were either by: 1 — API itself exposes everything; 2 — Fuzz the API and you will find sweet spots; 3 — Find functionality where you can cause mistakes, and the error will show you sensitive info.

Let's start with the 3rd one — this usually happens when the DEBUG mode is set to TRUE. And man, it can include some REALLY sensitive data, here is an example:

  • I was testing a web app, found it's api subdomain. Found a place where I could input values, gave it a giant value and the server responded with an error, and among all the sensitive info disclosed, there was a link to a different URL (won't mention where it led) — but there, you had some keys, using which you could get info on the registered people — it included their full legal names, vehicles, some sensitive numbers, etc.. The server exposed not only them, but info about some other organizations, vehicles, etc…

This demonstrates how important it is to always make sure that your API configuration is ALWAYS, ALWAYS configured properly and securely.

Now, to the №2 — Imagine you fuzz an API, find a swagger — then you see some functionality and authorize button — but the issue is, you have NO JWT TOKEN! Then you explore the server a bit more… Boom! There are some test credentials for some super user in the "/login" — you test it, HTTP code 200 + you know have a valid JWT token — now you use it and see that you are a superadmin, that can reset other users' passwords, block them, create new superusers, etc… See?!? Sometimes those swaggers are even indexed by Google! In some other cases it might be that after fuzzing the server there are directories that just expose all the users present on the server, leak the host info (e.g memory, OS, etc…)

Now, for the number 1 — what I meant by this is that, at least in some cases even if there is no proper authentication, the server doesnt expose everything right away — just says "404 not found" — but I've came accross some cases where the API just tells you right away, that there are, e.g 'api/v2/' and so-like, and when you go in there, the server keeps telling you where to go, instead of just 404 not found!

None
This one's for the preview