I regularly get asked how someone new to API hacking should start. It happens enough that I have a shortcut snippet in my email client. 

The question also drove me to write my article on How to get started as an API hacker last year.

But recently, someone from the API Hacker Inner Circle pushed back and asked to be more mindful that some people don’t even know which target to start with. 

You know what? They’re right.

So today, let’s tackle that problem head-on. Here are my five tips for picking your first target as an API hacker.

Tip #1: Pick a target you know

When starting your API hacking journey, choosing a familiar target can significantly streamline your learning and boost your chances for success.

Working with APIs from apps you use regularly gives you inherent insights into their functionality and potential weak spots. This familiarity saves time and lets you more accurately predict potential vulnerabilities based on your understanding of how the app works.

As you begin, choose to work on APIs from domains where you have expertise. It can help you spot nuances and subtleties that others may miss, giving you a competitive edge. 

Tip #2: Pick a target you can install

Choose a target whose software can be installed and managed in a controlled environment. This might be done locally, through Docker containers, or on a cloud instance. This approach allows you to interact with the API in a sandboxed setting, where you can freely test, manipulate, and observe its behavior without affecting real-world data or operations.

You can even modify and/or debug code to better understand how the API truly works.

Deploying an API yourself enables you to experiment with different types of attacks, such as those involving unusual data inputs or rate limiting. And you can do so in a safe and legal manner. 

Another benefit of controlling the installation is that it gives you direct access to the API artifacts. This will allow you to trace API exploitability more easily through code review and taint analysis. It will also allow you to see how things are installed and configured to abuse during your engagement. 

Managing your own instance makes it easier to replicate issues without having to involve the vendor. This enhances your ability to discover and report meaningful vulnerabilities while also respecting privacy and legal boundaries.

Tip #3: Pick a target with API documentation

A pivotal third tip for those new to API hacking is selecting an API with comprehensive and up-to-date documentation. Well-documented APIs offer essential insights into functionalities, parameters, and error handling, crucial for understanding normal API operations.

This knowledge helps identify vulnerabilities and streamlines testing by reducing guesswork in understanding API endpoints and responses.

Additionally, thorough documentation often includes examples and guidelines that can help you craft more effective test cases. This aligns your efforts with the API’s intended use, maximizing your chances of finding more impactful security flaws.

There is one other benefit of picking a target with up-to-date API documentation. You can use tools like oasdiff to monitor for changes continuously. Tools like this help inform where and when you should conduct vulnerability research in areas that are new and have less exposure to security testing. This saves time and money, letting you prioritize key areas before other researchers.

Tip #4: Pick a target with a modern JavaScript frontend

Choosing an API that is integrated with a modern JavaScript frontend can be highly advantageous for API hackers. Modern JavaScript frameworks like React, Angular, and Vue.js often expose backend details through extensive use of API endpoints, routes, and parameters in client-side code.

This visibility allows you to discern how the front end communicates with the back end, providing clues about the underlying API structure and potential entry points for testing. By analyzing the JavaScript code, you can uncover undocumented endpoints, understand data handling practices, and identify security misconfiguration.

This approach enhances your ability to identify and exploit vulnerabilities effectively, making it a critical strategy in your bug bounty methodology.

Tip #5: Pick a target with a mobile and/or thick client

For my fifth tip, consider targeting APIs that are utilized by mobile or thick client applications, as they can offer unique opportunities for discovering vulnerabilities. 

Mobile apps and desktop clients frequently use APIs directly to communicate with back-end services, and these apps can often be reverse-engineered to reveal a plethora of information about the API’s functionality. 

Tools such as apkleaks, which scans APK files for potential sensitive data leakage, and Frida, a dynamic instrumentation toolkit, are invaluable in this process. They allow you to intercept and manipulate calls to the API, uncover undocumented endpoints, and observe data flows in real time.

I’ve actually demonstrated some of that before in my article on Discovering API secrets & endpoints using APKLeaks. 

This kind of in-depth analysis is especially beneficial because mobile and thick clients often implement additional API features not visible in web interfaces. This provides a broader surface for security testing and potentially uncovers critical vulnerabilities that are otherwise overlooked.

Bonus Tip: Pick a target with active development

A bonus tip for selecting your API hacking target is to focus on APIs that are under active development. APIs that undergo frequent updates and iterations tend to exhibit greater fragility, making them more susceptible to security vulnerabilities. 

Active development often leads to changes in endpoints, modifications in data handling, and updates in security protocols—each of which can introduce new weaknesses before they are thoroughly tested or understood. 

It also means that they haven’t been as thoroughly tested by other security researchers. This gives you more opportunity to be the first to report issues and less likely to be a dupe. Older legacy versions of the API may become more brittle as app logic evolves and possibly expose unintended behavior. Many classes of vulnerability in the OWASP API Security Top 10 come from this. 

Engaging with such APIs helps you identify emerging issues early and collaborate with developers, fostering a mutually beneficial relationship that enhances API security and leads to safer products.

Actively engaging with evolving systems offers significant opportunities in API bug bounty hunting.

Other resources

Other hackers offer a wealth of knowledge on picking bug bounty targets. They discuss practical aspects like scope breadth and depth and program health metrics such as response times and payout averages.

You should consider these points of view as well. I have a few additional resources for you to check out in regards to this:

• Katie (@InsiderPhD) has a great video on picking a target. In it, she demonstrates program discovery on popular bug bounty platforms and shares valuable recommendations.
• Ben (@NahamSec) also has a decent video on YouTube. He helps to reduce confusion about the different bug bounty platforms and the programs available. He even shares some of his personal preferences. 
• Ryan (@PhD_Security) has an introductory video explaining how he picks his targets. Although he focuses more on the HackerOne platform, you can still get a decent idea of how he does it.

Conclusion

Venturing into the world of bug bounty hunting through API hacking can be both challenging and rewarding. However, it can be much easier when you are equipped with the right strategic insights into selecting your targets. 

Starting with APIs that are used in the apps you are familiar with allows for a smoother entry into security testing, while opting for APIs you can install gives you a controlled environment to explore vulnerabilities. 

Documentation plays a crucial role by shedding light on API functionality, which is essential for effective testing. Meanwhile, using API clients like modern JavaScript frontends, mobile apps, and thick desktop clients can expose additional layers of the API architecture that are ripe for investigation. 

Finally, targeting APIs under active development can present unique opportunities to catch new vulnerabilities as they emerge. By following these guidelines, you can enhance your skills, uncover significant security issues, and contribute to the success of your first engagements.

I hope these tips help. Good luck.

One last thing…

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.

The post 5 Tips for API Hackers on Picking Your First Target appeared first on Dana Epp's Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/5-tips-for-api-hackers-on-picking-your-first-target