Unleash Your Skills: Mastering REST API Fuzzing Like a Pro

Dive into REST API Fuzzing

As tech advances, apps are shifting to platform-independent structures. To make this happen, services that all platforms can chat with are created. These services are what we call “Web Services” today. Web services are set up as APIs (Application Programming Interface), and each service has its own set of tasks and dependencies. To hook up to these APIs, clients—apps that talk to services—can use SOAP or REST API.

Getting to Know REST API Services

When you’re poking around apps that use “REST API” services, it’s super important to get how these services work. Even if there’s internal paperwork for REST API services in a company, getting your hands on that info during a penetration test is tough. So, when you’re testing REST API services, you’ve got to do some special fuzzing to find endpoints or parameters that the app client isn’t asking for.

Naming REST API Endpoints

The endpoints of REST API services are like the “path” part of a URL. A client needs to know this “path” or endpoint info to get to a web service. Web services do their thing based on these endpoints. There aren’t any official rules for naming endpoints; it’s mostly up to the dev team’s naming habits. Check out these examples of different naming styles for an endpoint doing the same job:

• /getProduct/{id}
• /product/{id}
• /product/get/{id}
• /product/retrieve/{id}

Just remember, in RESTful services, the same endpoint is used for “CRUD” operations of an object. Here are some examples of RESTful service naming:

• GET /product/{id}
• POST /product
• PUT /product/{id}
• DELETE /product/{id}

Finding REST API Endpoints

When you’re testing REST API services, you need to find and test endpoints that aren’t visible in the app but are there for different services. Take an e-commerce site, for example. It’s normal for the e-commerce site’s client to have services that users can see and ask for. There might be a service on the client to get a product’s image info, but it’s not likely for the client to have an endpoint to update that image info. So, the penetration testing pro should look for an endpoint that can update the product’s image based on the endpoint that gets the product’s image.

When you’re on the hunt for endpoints, you should really dig into the dev team’s naming habits. If the dev team uses the “getProduct/{id}” endpoint to grab product info, they probably use endpoints with names like “updateProduct/{id}” to update product info. Or, a service using the “product/{id}” endpoint might use the “product/{id}/update” endpoint. Besides these, the service might do stuff according to the HTTP method to update product info. A request sent to the same endpoint with the PUT or POST method can update product info.

REST API Status Codes

HTTP status codes in the response are a big deal when you’re finding REST API endpoints. Here are some HTTP status codes:

• 200 OK
• 400 Bad Request
• 401 Unauthorized
• 403 Forbidden
• 404 Not Found
• 500 Internal Server Error

Even though the status codes above have certain meanings, devs can use these status codes for other stuff. For example, the server might send back a “200” response instead of the “404” response it should give for an undefined endpoint in the app. When you’re finding stuff, you should look at the response and figure out what responses the server gives under what conditions. Use this info when you’re fuzzing.

Finding REST API Parameters

After you figure out the endpoints, looking at the parameters used by those endpoints is a big part of penetration testing. For example, parameters like “isAdmin” or “admin” can be sent to an endpoint that registers a user, letting the added user be registered with high-level rights. When you’re finding parameters, you should look at all the parameters used all over the app.

Here’s a request and response for an endpoint that lists user info:

Request: GET /user/{id}

Response: {
  “id”: 1,
  “name”: “John Doe”,
  “email”: “john.doe@example.com”,
  “role”: “guest”
}

In the request sent from the client to the server, there’s no “role” value. The web service fills the “role” value with the default value “guest”. If the “role” value is sent in the request, this default thing on the server can be skipped, and you can get a user with high-level rights.

Not every web service shows all the user’s features to the client like in the example above. In these cases, you should use the stuff you figured out during endpoint discovery. By looking at the dev team’s naming habits, you can mess with hidden parameters.