How to Break APIs: A Hacker’s Perspective

Posted in

As API reliance increases across the board, APIs are becoming high-value attack targets. Many of these endpoints are low-hanging fruit — due to rampant access control problems, hackers can easily specialize in hacking them and apply similar tactics from API to API.

Katie Paxton-Fear

At Austin API Summit 2024, Katie Paxton-Fear will share API hacking tips to encourage better defensive strategies.

According to Katie Paxton-Fear, API Security Educator at Traceable AI, many APIs are hurriedly rushed through production, which often sacrifices proper security forethought, meaning not all APIs adopt the principle of least privilege or have a zero-trust approach. In short, this sort of culture can leave many forgotten endpoints open to hacking.

Ahead of Austin API Summit 2024, we’re catching up with key speakers to discover what they’re passionate about and to get their perspective on the API economy in general. Katie Paxton-Fear is an API hacker and cyber security content creator. She started her hacking journey in 2019 and, since then, has discovered over 30 vulnerabilities in real organizations. She also maintains a YouTube channel all about cybersecurity and hacking.

I recently caught up with Katie to explore how to go from making APIs to breaking them, a theme of her upcoming session. Below, we’ll review some common API hacking techniques and briefly consider how API providers should respond. Check out Katie’s answers below, and be sure to attend Austin API Summit 2024 for deeper discussions on this topic and plenty of others!

Why are web APIs so attractive for hackers right now?

I think it’s two-fold. One, they are everywhere. And two, they’re often created with the assumption that only internal developers will see them, even if they are published externally. But if you think about it, it makes sense for a hacker to specialize in APIs because if you’re targeting an API, it’s one skillset — you don’t have to learn WAF bypasses, how mobile apps implement Firebase, or how to fire off a JavaScript XSS payload in any JavasScript framework.

What are the low-hanging fruits for hackers when they try to attack APIs?

Access control issues are by far the most common vulnerability I see. Usually, it’s because the API gets forgotten when development cycles push releasing code over securing that code. Typical scenarios include accessing another tenant’s data because you’re an admin in your own tenant, viewing data via the API that should be private to a specific user, or editing a resource as long as you know its identifier.

How do you think like a bad guy? What sort of strategies should API owners consider when testing out their APIs?

I honestly don’t actually think like a bad guy. For context, I used to work as a developer writing an internal CRM with a Laravel backend. If I were building that API, how would I build it incorrectly, what mistakes would I make, or what trade-offs would I consider to get code out the door? Some of the best strategies API owners can take are prioritizing security as much as new features, encouraging more eyes in the API review process, and testing for the OWASP API top 10 when in doubt.

Who should have the onus of API security responsibility? The developer team, security team, DevSecOps, developer user, end consumer, or others?

It would be great to say, ‘Okay, you make the API, you secure it,’ or ‘You are the security team, you’re responsible for security.’ However, that attitude leads to security being a ‘not my circus, not my monkeys’ scenario. Security is everyone’s responsibility, and that means we all win and lose together.

What are some examples of high-worth endpoints to focus on securing?

You’ll have to come to the session 😉. But anything that deals with money or accounts is always high on my list!

Why are you looking forward to the Austin API Summit? (Assuming you are 😉)

I’m looking forward to getting out of the security bubble and understanding some of the real-world challenges that API owners, developers, and operations are facing, including challenges outside of security, specifically.

What do you hope attendees will take away from your session?

I would love everyone from my session to go home and hack an API. I taught my mum to hack, and she’s scared of the start menu when it pops up after she hits the Windows key. If she can do it, anyone can!