Exploiting Websites

Today, I’m going to discuss about the small scale applications, their vulnerabilities and how they can be secured.

Often the websites, or the web-apps which come out as well developed in specific aspects such as performance, UI and responsiveness often turns out to be vulnerable in many ways.

For example, I came across as one of the translators here. Which seemed like a 2-tier application inclusive of frontend and backend, where on submit button frontend requests the backend.

So far things seemed quite normal, right? But when I started tracking the API, it turned out to be fully open, no security implemented on it whatsoever. Since it was only an translator it might seem like what a person could do even the API is open.

APIs can be leveraged in many ways, lets say if the underlying service is an paid service and API is just an wrapper, then by repeatedly calling the same API I can increase the consumption charges for the individual or the company, incurring the losses.

If it serves any business value, then by using DDOS or similar attacks I can make it unavailable for the actual users, which might delay the operations and cause disruptions leading to monetary losses.

It is suggested to use the authentication on the backend, along with CORS and origin headers so that requests are allowed only from specific locations. Additionally, have some security solution installed to monitor the application to detect anomalies and send alerts.

Please let me know in the comments if you need a detailed guide of how to extract APIs.
You can reach out to me through email - puniyaniharnoor@gmail.com and LinkedIn