API Target Authentication

Mayhem for API supports a number of ways to authenticate to the target API. Giving the fuzzer a way to authenticate to the target API will enable it to exercise more endpoints and maximize coverage.

Basic Authentication

Basic access authentication is a simple technique for enforcing access control to web resources, which is supported by most web servers. You can specify basic authentication credentials when you fuzz your target with mapi run with a command line option or environment variable.

CLI Option:

mapi run --basic-auth "username:password" <api-name> <duration> ./openapi.json

Environment:

export MAPI_BASIC_AUTH="username:password"
mapi run <api-name> <duration> ./openapi.json

Note that basic authentication does not protect the username and password by itself. They are simply encoded with base64 in transit, but not encrypted or hashed. Basic authentication should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.

Bearer Tokens

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens The client must send this token in the Authorization header when making requests to protected resources:

mapi run --header-auth 'Authorization: bearer <token>' <api-name> <duration> ./openapi.json

This method can also be used for any header-based authentication, for instance:

mapi run --header-auth 'X-Custom: auth <token>' <api-name> <duration> ./openapi.json

You can also use an environment variable to pass your token:

export MAPI_HEADER_AUTH="Authorization:Bearer <token>"
mapi run <api-name> <duration> ./openapi.json

Note that the authorization header does not protect the token by itself. It is not encrypted or hashed before sending it to the server. As with basic authentication, this authentication method should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.

Note that if you would like to specify additional headers that do not include credentials, we recommend using -H instead of --header-auth. Mayhem for API treats --header-auth differently when looking for authentication bypasses.

Cookie Authentication

Cookie authentication uses HTTP cookies to authenticate client requests and maintain session information. Cookies are generally returned by the server after a successful login, and sent by the clients in subsequent requests. You can specify cookies when you fuzz your target with mapi run either via command line options or an environment variable.

CLI Option:

mapi run --cookie-auth "PHPSESSID=abe67cd" <api-name> <duration> ./openapi.json

Environment:

export MAPI_COOKIE_AUTH="PHPSESSID=abe67cd"
mapi run <api-name> <duration> ./openapi.json

Note that cookies are not encrypted or hashed before being sent to the server. As with basic and header authentication, this authentication method should be used in conjunction with HTTPS to protect the credentials, or on a trusted network.

More to come!

We are planning on adding more authentication methods soon, and we'd love to hear from you about what you'd like to see.

Logout blacklisting

If the credentials you passed to the fuzzer can be invalidated through a logout endpoint, consider blacklisting that endpoint with the --ignore-endpoint flag in mapi run, something like this:

mapi run [...] --ignore-endpoint "/api/logout"

For more details on this and other mechanisms for choosing which endpoints to fuzz, see Selective Route Testing.

CSRF Tokens

Note that the Mayhem for API does not currently handle CSRF tokens. Those are extremely common to prevent CSRF attacks when using cookie authentication, but often disabled when using API tokens. If this is something you'd like us support better, shoot us an email at mayhem4api@forallsecure.com