.png)
2 weeks ago
24 BOOK THIS SPACE FOR AD
ARTICLE ADToday I'd walk you through on how I compromised an entire organization through their API. But before we get started let me give you a brief introduction about the organization and what they do.
The organization provides services related to Digital Marketing and lead Generation to its clients on Enterprise level and they have an API that developers can use to integrate it into their programs to use its services.
For the sake of this writeup I will refer to the organization as “example.com”.
So starting off with recon, I gathered subdomains through different tools such as crt.sh, subfinder, assetfinder, Sublist3r and ShodanX. After running all the tools I collected them all into a single file and removed duplicates. While looking through the subdomains lists I noticed a subdomain named as “Developers.example.com” and as API are something that really interests me I immediately jumped right into it.
While looking around the API documentation I was specifically looking for some kind of info in the documentation that I could maybe use and leverage in my testing further but I couldn’t find anything. However I noticed that the documentation was made and published using “Postman” and there was an option to open and run the documentation in Postman.
I opened the documentation in Postman and started looking for info there as well and to my surprise I struck GOLD.
Since the API used Bearer Token for authorization, I checked the authorization tabs in one of the request and I found an API key that was left in there in Plain text by the Developer
Now just by getting the API key meant that I could use the services for FREE but I wanted to Escalate and increase the potential impact. So I started looking for other endpoints / API documentation that had requests to fetch sensitive data.
I immediately got to search engine dorking and sure enough I found a “Zombie API” that had some very interesting endpoints. if you don’t know about zombie api’s here’s what they are
These are APIs that are no longer being used for anything (or at least, not for any legitimate purpose). They’re still out there, and they still provide a point of access to some part of your system, but no one is maintaining or updating them anymore — and in all likelihood, no one even remembers that they exist.
source: https://blog.barracuda.com/2023/09/19/zombie-apis
Inside the API there was a request to “Get Account Details” and the endpoint was something like
https://api-example.com/api/users/accounts
I got the API key and pasted it into this request and sent it, In the response I got all the data of the account and It was the main account of the organization.
With that I also got details to all the apps that were connected to the account. They had connected Twilio as well and In the response I also got Twilio ACCOUNT_SID and AUTH_TOKEN. So I pulled up twilio’s API documentation and found a request to fetch account details.
curl -X GET "https://api.twilio.com/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.json" \-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
I replaced the Account_SID and Auth_Token and sent the request and got all of the info related to the account in the response
{"auth_token": "auth_token",
"date_created": "Thu, 30 Jul 2015 20:00:00 +0000",
"date_updated": "Thu, 30 Jul 2015 20:00:00 +0000",
"friendly_name": "friendly_name",
"owner_account_sid": "ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"sid": "ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"status": "active",
"subresource_uris": {
"available_phone_numbers": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/AvailablePhoneNumbers.json",
"calls": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Calls.json",
"conferences": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Conferences.json",
"incoming_phone_numbers": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/IncomingPhoneNumbers.json",
"notifications": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Notifications.json",
"outgoing_caller_ids": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/OutgoingCallerIds.json",
"recordings": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Recordings.json",
"transcriptions": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Transcriptions.json",
"addresses": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Addresses.json",
"signing_keys": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/SigningKeys.json",
"connect_apps": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/ConnectApps.json",
"sip": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/SIP.json",
"authorized_connect_apps": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/AuthorizedConnectApps.json",
"usage": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Usage.json",
"keys": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Keys.json",
"applications": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Applications.json",
"short_codes": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/SMS/ShortCodes.json",
"queues": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Queues.json",
"messages": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Messages.json",
"balance": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Balance.json"
},
"type": "Full",
"uri": "/2010-04-01/Accounts/ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.json"
}
Besides that there were also endpoints that let me create sub accounts, create other API keys, Deleting accounts, Creating users and some other actions on their internal services as well.
I reported the vulnerability and it was marked as “High” and the report was resolved
Bengali (Bangladesh) · 
English (United States) ·