How to Discover API Subdomains? | API Hacking | #
In this article, we will delve into the world of API subdomains, exploring their purpose, methods to discover them, and performing API subdomain enumeration.
What are API Subdomains? #
API subdomains refer to the subdomains of a website or web application that are specifically dedicated to hosting APIs (Application Programming Interfaces). These subdomains are used to provide access to various functionalities and data through standardized interfaces, allowing developers to interact with the system programmatically.
A Simple Example #
Imagine you have a web application with lots of different services or features, like a shopping website with product listings, user profiles, and reviews. Now, you want to create a special way for other computer programs (like mobile apps or other websites) to talk to these different parts of your website.
API subdomains are like having separate doors to enter different parts of your application. Instead of going through the main entrance, you have separate doors for each part of your site. For example:
-
If you want to look at products, you use the “ products.example.com” door.
-
If you want to see user profiles, you use the “ profiles.example.com” door.
-
If you want to read reviews, you use the “ reviews.example.com” door.
Each door (subdomain) leads to a different part of your website, and computer programs can use these doors to talk to the specific part they need. It’s a way to keep things organized and make sure each part of your application gets the right information and requests.
So, API subdomains help organize and separate the different functions of your website’s programming interface, making it easier for other programs to use and interact with those functions.
Common Use Cases for API Subdomains #
API subdomains can be used in various ways to organize, manage, and differentiate the functionality of an API. Here are some different ways API subdomains are commonly used:
- Versioning: Subdomains are used to specify different versions of the API. For example:
-
v1.api.example.com
for version 1 of the API. -
v2.api.example.com
for version 2 of the API. This allows developers to use the version of the API that suits their needs and maintain backward compatibility when making changes.
Finding these versions can be useful for hackers. For example, if the developer decided to use the new v2(version 2) of the API due to a vulnerability present in v1(version 1), and the application is using v2, but version 1 is still accessible, then the attacker can use version 1 of the API to perform malicious actions.
For instance, if v1 of the API lacks proper access controls and allows any user to view any user’s details simply by changing the user ID, but this issue has been fixed in v2, the attacker can exploit the vulnerability in version 1 to compromise the application. This vulnerability is called Broken Object Level Authorization Using Old API.
2. Service Segmentation: Subdomains can represent different services or microservices within an API ecosystem. For instance:
-
products.api.example.com
for product-related endpoints. -
users.api.example.com
for user-related endpoints. -
payments.api.example.com
for payment processing endpoints. This helps in organizing code, managing access, and scaling individual services independently.
3. Access Control: Subdomains can be used to control access to specific parts of the API based on user roles or permissions. For example:
-
admin.api.example.com
for administrative functions restricted to administrators. -
public.api.example.com
for publicly accessible endpoints. This enhances security and ensures that only authorized users can access certain areas.
If an attacker find an API that is restricted to admins but has poor access controls or have default passwords, then it can be exploited by them.
-
Insufficient Authentication: If the authentication mechanism used by the API subdomain is weak or improperly implemented, attackers may attempt to bypass it using techniques like brute force attacks, password spraying, or session fixation.
-
Inadequate Authorization Checks: Even if an attacker doesn’t have valid credentials, they might try to manipulate the authorization checks. This could involve tampering with tokens, cookies, or session data to elevate their privileges.
-
Privilege Escalation: Attackers may attempt to exploit vulnerabilities that allow them to escalate their privileges within the application. For example, if the API subdomain uses role-based access control (RBAC), they might attempt to manipulate their role to gain access to admin functions.
4. Load Balancing: Subdomains can be used to distribute API traffic across multiple servers or data centers. For example:
-
api1.example.com
for one server. -
api2.example.com
for another server. Load balancers direct incoming requests to the appropriate subdomain based on factors like server health and traffic load.
5. Content Delivery: Subdomains can be used to serve different types of content or media. For instance:
-
images.api.example.com
for serving images. -
videos.api.example.com
for serving videos. This optimizes content delivery and improves performance.
5. Testing and Development: Subdomains can be employed for testing and development purposes. For example:
-
test.api.example.com
for testing new features. -
dev.api.example.com
for development and debugging. This allows developers to work on new functionality without affecting the production environment.
6. External Integrations: Subdomains can be used to create separate endpoints for third-party integrations or partner services. For instance:
-
partners.api.example.com
for partner-specific API endpoints. -
external.api.example.com
for integrating with external services. This keeps integrations isolated and manageable.
The choice of how to use API subdomains depends on the specific needs of the API, its architecture, and the organization’s requirements for organization, security, and scalability.
Why enumerate API Subdomains? #
API subdomain enumeration can potentially expose the subdomains associated with an API, which can be exploited by attackers. Here are some vulnerabilities that can arise:
-
Information Disclosure: The enumeration process may reveal sensitive information about the API infrastructure, such as subdomains, endpoints, or versioning details. This information can be leveraged by attackers to understand the system’s architecture and identify potential vulnerabilities or attack vectors.
-
Attack Surface Discovery: By identifying API subdomains, attackers can gain insight into the various entry points and functionalities offered by the API. This helps them in mapping the attack surface and planning targeted attacks against specific API endpoints or functionalities.
-
Brute-Force Attacks: Once the subdomains are enumerated, attackers can attempt to brute-force or guess API endpoint URLs and access restricted resources or perform unauthorized actions. This can lead to data breaches, unauthorized data manipulation, or even complete system compromise.
-
API Misconfiguration: Enumeration can also reveal misconfigured API subdomains that may have excessive permissions, weak authentication mechanisms, or inadequate rate limiting. Attackers can exploit these misconfigurations to gain unauthorized access, perform privilege escalation, or launch denial-of-service attacks.
To mitigate these vulnerabilities, it is crucial to implement proper security measures such as strong access controls, secure authentication mechanisms, input validation, and monitoring/logging of API activities.
How to perform API subdomain enumeration? #
Performing API subdomain enumeration typically involves using a combination of manual and automated techniques. Here are some common steps to perform API subdomain enumeration:
-
Passive Reconnaissance: Start by gathering information about the target website or web application. Use tools like search engines, OSINT (Open-Source Intelligence) platforms, and public databases to find any publicly available subdomains associated with the API.
-
DNS Enumeration: Use DNS (Domain Name System) enumeration techniques to discover subdomains. Tools like sublist3r, amass, or dnsrecon can be helpful in this process. These tools leverage various techniques such as brute-forcing, reverse DNS lookups, zone transfers, and search engines to identify subdomains.
-
Certificate Transparency Logs: Search through Certificate Transparency logs, which provide a public record of all issued SSL/TLS certificates. Tools like crt.sh or certspotter can help in identifying subdomains associated with issued certificates.
-
Web Crawler: Use a web crawler or a tool like gobuster to crawl the main website and identify potential API subdomains. Look for links or references to subdomains that are specifically designated for hosting APIs.
-
Brute-Force: If there are indications of a pattern in subdomain naming conventions, you can perform brute-forcing using tools like ffuf or wfuzz to guess and identify additional subdomains.
In this blog, we will explore how to perform API subdomain enumeration using amass, both actively and passively.
API Subdomain Enumeration Using Amass #
Tool: Amass
Command:
amass enum -d twitter.com | grep api
This command will enumerate subdomains for twitter.com and filter the subdomains that contain the term “api”.
You can also perform passive subdomain enumeration by using -passive
in the amass command like this
amass enum -passive -d twitter.com | grep api
When using the “passive” command in Amass, it leverages various publicly available sources, such as search engines, OSINT platforms, and public databases, to gather information about subdomains associated with the target domain. This information is obtained passively, meaning it does not involve actively sending requests or performing scans directly to the target domain.
You can filter the live subdomains by using httpx like so:
amass enum -active -brute -w /usr/share/seclists/Discovery/DNS/Subdomain-wordlist.txt -d twitter.com | httpx -mc 200
Brute forcing Subdomains #
Command:
amass enum -active -brute -w /usr/share/seclists/Discovery/DNS/Subdomain-wordlist.txt -d twitter.com
The above command will brute-force subdomains.
The -active
command in Amass refers to an active reconnaissance method used for subdomain enumeration. When using this command, Amass actively sends DNS queries to discover subdomains associated with the target domain.
Conclusion #
API subdomain enumeration can help bug bounty hunters identify subdomains that may have been abandoned or are no longer in use. These abandoned subdomains can be potential targets for subdomain takeover attacks, which can lead to full control or unauthorized access to the affected systems.
If you would like to watch a video on it, check this out!
Thank you for reading.