SQLi via API
--
Hello there,
This is one of the recent things I learned for API injection.
In fact, SQLi is one of the most common API security vulnerabilities. Honestly, I wasn’t giving APIs and attention in testing before. So here I am exploring and sharing this piece of knowledge.
1-Fuzzing
You might be lucky enough to find the parameter directly. In some scenarios, you need to fuzz to find a parameter that will reveal the API’s functionality.
Tool: ffuf
2- Send an HTTP request
Now, you need to examine the response you get with the parameter found. You can do that using curl or directly with your web browser. Burp suite is handy in this task to have full control of the request and response.
Brute force
It’s quite useful to brute force API to try different values and see what can hit. The following is a python script to brute force that values from 1–10000.
Note: you can customize the script and change the range, datatype, and parameter name.
import requests, sys
def brute():
try:
value = range(10000) //values range
for val in value:
url = sys.argv[1]
r = requests.get(url + '/?id='+str(val))
if "position" in r.text:
print("Number found!", val)
print(r.text)
except IndexError:
print("Enter a VALID URL E.g.: http://TARGET:PORT/")
brute()After running this script, you might get access to some juicy informations and report that as “Information disclosure”. However, we would like to escalate that and turn it into SQLi.
3-Exploit
Here is the favourite, yet challenging part. You can do that using any tool of your choose, but let’s agree that sqlmap is the best solider for such a mission.
That’s all! I know that there are a lot of details regrading such topic, but i did my best to illustrate that in the most abstract form. I’m still new with API security so there’s much to learn.
Thank you :) happy hacking !
