Launching HTB CWEE: Certified Web Exploitation Expert Learn More

API Attacks

Web APIs serve as crucial connectors across diverse entities in the modern digital landscape. However, their extensive functionality also exposes them to a range of potential attacks. This module introduces API Attacks, with a specific focus on the OWASP API Security Top 10 - 2023.


Created by Pedant

Medium Offensive


Web Application Programming Interfaces (APIs) are ubiquitous, enabling seamless data exchange between diverse systems and applications on the Internet. However, they can be susceptible to various vulnerabilities. This module delves into the critical realm of API security, exploring common vulnerabilities and attack vectors. With a primary focus on the OWASP API Security Top 10 - 2023, we'll examine the most prevalent risks facing APIs by attacking a RESTful API of an E-Commerce Marketplace.

In detail, this module will cover the following:

  • API1:2023 Broken Object Level Authorization
  • API2:2023 Broken Authentication
  • API3:2023 Broken Object Property Level Authorization
  • API4:2023 Unrestricted Resource Consumption
  • API5:2023 Broken Function Level Authorization
  • API6:2023 Unrestricted Access to Sensitive Business Flows
  • API7:2023 Server Side Request Forgery
  • API8:2023 Security Misconfiguration
  • API9:2023 Improper Inventory Management
  • API10:2023 Unsafe Consumption of APIs

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

  • Web Requests
  • Introduction to Web Applications
  • Attacking Web Applications with Ffuf
  • SQL Injection Fundamentals
  • Broken Authentication

Introduction to API Attacks

Application Programming Interfaces (APIs) are foundational to modern software development, with web APIs being the most prevalent form. They enable seamless communication and data exchange across diverse systems over the internet, serving as crucial bridges that facilitate integration and collaboration among different software applications.

At their essence, APIs consist of defined rules and protocols that dictate how disparate systems interact. They specify data formatting requirements, delineate access methods for resources, and define expected response structures. APIs are broadly categorized as either public, accessible to external parties, or private, restricted to specific organizations or groups of systems.

API Building Styles

Web APIs can be built using various architectural styles, including REST, SOAP, GraphQL, and gRPC, each with its own strengths and use cases:

  • Representational State Transfer (REST) is the most popular API style. It uses a client-server model where clients make requests to resources on a server using standard HTTP methods (GET, POST, PUT, DELETE). RESTful APIs are stateless, meaning each request contains all necessary information for the server to process it, and responses are typically serialized as JSON or XML.
  • Simple Object Access Protocol (SOAP) uses XML for message exchange between systems. SOAP APIs are highly standardized and offer comprehensive features for security, transactions, and error handling, but they are generally more complex to implement and use than RESTful APIs.
  • GraphQL is an alternative style that provides a more flexible and efficient way to fetch and update data. Instead of returning a fixed set of fields for each resource, GraphQL allows clients to specify exactly what data they need, reducing over-fetching and under-fetching of data. GraphQL APIs use a single endpoint and a strongly-typed query language to retrieve data.
  • gRPC is a newer style that uses Protocol Buffers for message serialization, providing a high-performance, efficient way to communicate between systems. gRPC APIs can be developed in a variety of programming languages and are particularly useful for microservices and distributed systems.

In this module, our focus will be on attacks against a RESTful web API. However, the vulnerabilities demonstrated may also exist in APIs built using other architectural styles.

API Attacks

Due to their versatility and ubiquitousness, APIs are a double-edged sword. Regardless that they are a critical component of modern software architecture, they also present a broad attack surface. The very nature of APIs, facilitating data exchange and communication between diverse systems, introduces vulnerabilities, such as Exposure of Sensitive Data, Authentication and Authorization Issues, Insufficient Rate Limiting, Improper Error Handling, and various other security misconfigurations.

OWASP Top 10 API Security Risks

To categorize and standardize the security vulnerabilities and misconfigurations that APIs can face, OWASP has curated the OWASP API Security Top 10, a comprehensive list of the most critical security risks specifically related to APIs:

Risk Description
API1:2023 - Broken Object Level Authorization The API allows authenticated users to access data they are not authorized to view.
API2:2023 - Broken Authentication The authentication mechanisms of the API can be bypassed or circumvented, allowing unauthorized access.
API3:2023 - Broken Object Property Level Authorization The API reveals sensitive data to authorized users that they should not access or permits them to manipulate sensitive properties.
API4:2023 - Unrestricted Resource Consumption The API does not limit the amount of resources users can consume.
API5:2023 - Broken Function Level Authorization The API allows unauthorized users to perform authorized operations.
API6:2023 - Unrestricted Access to Sensitive Business Flows The API exposes sensitive business flows, leading to potential financial losses and other damages.
API7:2023 - Server Side Request Forgery The API does not validate requests adequately, allowing attackers to send malicious requests and interact with internal resources.
API8:2023 - Security Misconfiguration The API suffers from security misconfigurations, including vulnerabilities that lead to Injection Attacks.
API9:2023 - Improper Inventory Management The API does not properly and securely manage version inventory.
API10:2023 - Unsafe Consumption of APIs The API consumes another API unsafely, leading to potential security risks.

This module will focus on exploiting all these security risks and understanding how to prevent them.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.