How exploitable sensitive information in API is able to destruct business in disruption era — Part2 — Build a crawler

Acting as a customer, the rival finds out that an API parameter, “name”, is allowed to have empty value which leads to LIKE ‘%%’ query in SQL. It can be seen from the following comparison Content-Length API response which inform us that no value has returned ~100 x rows higher than specified value.

API findvendor with filled “name” parameter

API findvendor with empty “name” parameter shows much more result

Build a crawler

So he considers to build crawlers application to pick up all information by having name=””&location={list of possible location from UI} and load into local database.

Listed location from UI

Crawling topology

Now, competitor has sufficient information to start approaching the vendors by contacting each through social media account to join them.

Redacted.com should undertake the following list-to-do to avoid API can be crawled:

1. To have WAF (Web Application Firewall) on top of API by having rules for e.g > 5 qps would be block temporarily
2. To protect through csrf token which Must Properly Be Validated (since this csrf can only be gotten by previous referer link)
3. To obfuscate request parameter and value before sending to real API server

Since they are not satisfied enough, somehow social media account data is not well updated, attempting to collect mobile phone vendors value is the next step.

to be continued…