The Research

This section presents the tools and architecture of my API attack lab used in this research. THE ATTACK LAB Mobile APIs THE RESEARCH I used a different technology stack for each stage of testing. During the SAST stage, I used Mobile Security Framework (MobSF) for the FHIR APIs that have a mobile app for the client. This automates the reverse engineering process for the APK file from the Android device. Once MobSF reverses the app back to its original source code, I then used different grep strings to find hardcoded API secrets in the code, such as API keys and tokens and hardcoded passwords. Reviewing the source code also enabled me to better understand what the clients were sending to the API endpoints.

For the API endpoints that leverage a web client, I used Burp Suite proxy with its built-in Chromium web browser that automatically sent packets between the web app and backend API endpoints to the Proxy tab within Burp Suite. Once the packets were captured in the Proxy tab, I sent the individual packets I wanted to mutate the values for in the header or payloads to Repeater within Burp Suite. This allowed me to perform a WITM attack to the API endpoints without having to leave Burp Suite. Tactics, Techniques, and Procedures (TTPs) The TTPs I followed for each type of target have been decomposed further in this section to explain the steps in my kill chain for each of the target apps and what the results were.