Back to Details

testing-mobile-api-authentication

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Testing Mobile API Authentication

移动API认证测试

When to Use

使用场景

Use this skill when:
  • Assessing mobile app backend API authentication during penetration tests
  • Testing JWT token implementation for common vulnerabilities (none algorithm, weak signing)
  • Evaluating OAuth 2.0 / OIDC flows in mobile applications for redirect, PKCE, and scope issues
  • Testing for broken object-level authorization (BOLA/IDOR) in API endpoints
Do not use this skill against production APIs without explicit authorization and rate-limiting awareness.
在以下场景中使用本技能:
  • 渗透测试期间评估移动应用后端API的认证机制
  • 测试JWT令牌实现中的常见漏洞(none算法、弱签名)
  • 评估移动应用中OAuth 2.0 / OIDC流程的重定向、PKCE及权限范围问题
  • 测试API端点中的对象级授权失效(BOLA/IDOR)
注意:未经明确授权且未考虑速率限制的情况下,请勿针对生产API使用本技能。

Prerequisites

前置条件

  • Burp Suite or mitmproxy configured as mobile device proxy
  • SSL pinning bypassed on target application (if implemented)
  • Valid test account credentials for the target application
  • Postman or curl for API request crafting
  • jwt.io or PyJWT for JWT analysis and manipulation
  • 已将Burp Suite或mitmproxy配置为移动设备代理
  • 已绕过目标应用的SSL固定(若已实现)
  • 拥有目标应用的有效测试账户凭据
  • 用于构造API请求的Postman或curl
  • 用于JWT分析与操作的jwt.io或PyJWT

Workflow

工作流程

Step 1: Map Authentication Endpoints

步骤1:映射认证端点

Intercept mobile app traffic to identify authentication-related endpoints:
POST /api/v1/auth/login          - Initial authentication
POST /api/v1/auth/register       - Account registration
POST /api/v1/auth/refresh        - Token refresh
POST /api/v1/auth/logout         - Session termination
POST /api/v1/auth/forgot-password - Password reset
POST /api/v1/auth/verify-otp     - OTP verification
GET  /api/v1/auth/me             - Authenticated user profile
拦截移动应用流量,识别与认证相关的端点:
POST /api/v1/auth/login          - 初始认证
POST /api/v1/auth/register       - 账户注册
POST /api/v1/auth/refresh        - 令牌刷新
POST /api/v1/auth/logout         - 会话终止
POST /api/v1/auth/forgot-password - 密码重置
POST /api/v1/auth/verify-otp     - OTP验证
GET  /api/v1/auth/me             - 已认证用户信息

Step 2: Analyze Token Format and Security

步骤2:分析令牌格式与安全性

JWT Analysis:
bash
undefined
JWT分析:
bash
undefined

Decode JWT without verification

无需验证即可解码JWT

echo "eyJhbGciOiJIUzI1NiIs..." | cut -d. -f2 | base64 -d 2>/dev/null
echo "eyJhbGciOiJIUzI1NiIs..." | cut -d. -f2 | base64 -d 2>/dev/null

Check for common JWT vulnerabilities:

检查常见JWT漏洞:

1. None algorithm attack

1. None算法攻击

Change header to: {"alg":"none","typ":"JWT"}

将头信息修改为:{"alg":"none","typ":"JWT"}

Remove signature: header.payload.

移除签名部分:header.payload.

2. Algorithm confusion (RS256 to HS256)

2. 算法混淆(RS256转HS256)

If server uses RS256, try HS256 with public key as secret

若服务器使用RS256,尝试用公钥作为密钥使用HS256算法

3. Weak signing key

3. 弱签名密钥

Use hashcat or jwt-cracker to brute-force HMAC secret

使用hashcat或jwt-cracker暴力破解HMAC密钥

hashcat -m 16500 jwt.txt wordlist.txt
hashcat -m 16500 jwt.txt wordlist.txt

4. Expiration bypass

4. 过期时间绕过

Modify "exp" claim to future timestamp

将"exp"声明修改为未来时间戳


**Opaque Token Analysis:**
  • Test token length and entropy
  • Check if tokens are sequential/predictable
  • Test token reuse after logout
  • Verify token invalidation on password change
undefined

**不透明令牌分析:**
  • 测试令牌长度与熵值
  • 检查令牌是否为连续/可预测序列
  • 测试注销后令牌是否可重复使用
  • 验证密码修改后令牌是否失效
undefined

Step 3: Test Authentication Bypass

步骤3:测试认证绕过

bash
undefined
bash
undefined

Test missing authentication

测试无认证访问

curl -X GET https://api.target.com/api/v1/users/profile
curl -X GET https://api.target.com/api/v1/users/profile

Test with empty/null token

测试空/Null令牌

curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer "
curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer null"
curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer "
curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer null"

Test with expired token (should fail)

测试过期令牌(应访问失败)

curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer <expired_token>"
curl -X GET https://api.target.com/api/v1/users/profile
-H "Authorization: Bearer <expired_token>"

Test token from different user

使用其他用户的令牌测试

curl -X GET https://api.target.com/api/v1/users/123/profile
-H "Authorization: Bearer <user_456_token>"
undefined
curl -X GET https://api.target.com/api/v1/users/123/profile
-H "Authorization: Bearer <user_456_token>"
undefined

Step 4: Test IDOR / Broken Object-Level Authorization

步骤4:测试IDOR / 对象级授权失效

bash
undefined
bash
undefined

Change user ID in request path

修改请求路径中的用户ID

curl -X GET https://api.target.com/api/v1/users/123/orders
-H "Authorization: Bearer <user_456_token>"
curl -X GET https://api.target.com/api/v1/users/123/orders
-H "Authorization: Bearer <user_456_token>"

Change object ID in request body

修改请求体中的对象ID

curl -X PUT https://api.target.com/api/v1/orders/789
-H "Authorization: Bearer <user_456_token>"
-d '{"status": "cancelled"}'
curl -X PUT https://api.target.com/api/v1/orders/789
-H "Authorization: Bearer <user_456_token>"
-d '{"status": "cancelled"}'

Test horizontal privilege escalation

测试横向权限提升

Access admin endpoints with regular user token

使用普通用户令牌访问管理员端点

curl -X GET https://api.target.com/api/v1/admin/users
-H "Authorization: Bearer <regular_user_token>"
undefined
curl -X GET https://api.target.com/api/v1/admin/users
-H "Authorization: Bearer <regular_user_token>"
undefined

Step 5: Test Session Management

步骤5:测试会话管理

bash
undefined
bash
undefined

Test concurrent sessions

测试并发会话

Login from multiple devices simultaneously - should both remain valid?

同时从多个设备登录 - 是否均保持有效?

Test session invalidation after logout

测试注销后会话是否失效

TOKEN=$(curl -s -X POST https://api.target.com/api/v1/auth/login
-d '{"email":"test@test.com","password":"pass"}' | jq -r '.token')
TOKEN=$(curl -s -X POST https://api.target.com/api/v1/auth/login
-d '{"email":"test@test.com","password":"pass"}' | jq -r '.token')

Logout

执行注销

curl -X POST https://api.target.com/api/v1/auth/logout
-H "Authorization: Bearer $TOKEN"
curl -X POST https://api.target.com/api/v1/auth/logout
-H "Authorization: Bearer $TOKEN"

Try using the same token (should fail)

尝试使用同一令牌(应访问失败)

curl -X GET https://api.target.com/api/v1/users/me
-H "Authorization: Bearer $TOKEN"
curl -X GET https://api.target.com/api/v1/users/me
-H "Authorization: Bearer $TOKEN"

Test session invalidation after password change

测试密码修改后会话是否失效

Token obtained before password change should be invalidated

密码修改前获取的令牌应失效

undefined
undefined

Step 6: Test OAuth 2.0 / OIDC Mobile Flows

步骤6:测试OAuth 2.0 / OIDC移动流程

bash
undefined
bash
undefined

Test for authorization code interception

测试授权码拦截

Check if PKCE (Proof Key for Code Exchange) is enforced

检查是否强制使用PKCE(授权码交换证明密钥)

Test with missing code_verifier parameter

测试缺失code_verifier参数的情况

Test redirect URI manipulation

测试重定向URI篡改

Try custom scheme hijacking: myapp://callback

尝试自定义 scheme 劫持:myapp://callback

Test with modified redirect_uri parameter

测试修改redirect_uri参数的情况

Test scope escalation

测试权限范围提升

Request higher privileges than granted

请求超出授予范围的更高权限

undefined
undefined

Key Concepts

核心概念

TermDefinition
BOLA/IDORBroken Object Level Authorization - accessing resources by changing identifiers without server-side authorization checks
JWTJSON Web Token - self-contained authentication token with header, payload, and signature components
PKCEProof Key for Code Exchange - OAuth 2.0 extension preventing authorization code interception in mobile apps
Token RefreshMechanism for obtaining new access tokens using long-lived refresh tokens without re-authentication
Session FixationAttack where adversary sets a known session ID before victim authenticates, then hijacks the session
术语定义
BOLA/IDOR对象级授权失效 - 通过修改标识符访问资源,而未经过服务器端授权校验
JWTJSON Web Token - 包含头信息、载荷和签名组件的自包含认证令牌
PKCE授权码交换证明密钥 - OAuth 2.0扩展,用于防止移动应用中的授权码拦截
Token Refresh令牌刷新机制 - 使用长期有效的刷新令牌获取新的访问令牌,无需重新认证
Session Fixation会话固定攻击 - 攻击者在受害者认证前设置已知会话ID,随后劫持会话

Tools & Systems

工具与系统

  • Burp Suite: HTTP proxy for intercepting and modifying authentication requests
  • jwt_tool: Python tool for testing JWT vulnerabilities (none algorithm, key confusion, claim manipulation)
  • Postman: API testing client for crafting authentication requests
  • hashcat: Password/JWT secret cracking tool for testing HMAC signing key strength
  • Autorize: Burp Suite extension for automated authorization testing
  • Burp Suite: 用于拦截和修改认证请求的HTTP代理
  • jwt_tool: 用于测试JWT漏洞(none算法、密钥混淆、声明篡改)的Python工具
  • Postman: 用于构造认证请求的API测试客户端
  • hashcat: 用于测试HMAC签名密钥强度的密码/JWT密钥破解工具
  • Autorize: 用于自动化授权测试的Burp Suite扩展

Common Pitfalls

常见陷阱

  • Rate limiting masks issues: API may rate-limit test requests. Use delays between requests and test from the tester's authorized perspective first.
  • Token in URL: Some mobile APIs pass tokens in URL query parameters, exposing them in server logs and browser history. Flag as finding even if authorization works correctly.
  • Refresh token rotation: Some APIs rotate refresh tokens on each use. If your test invalidates the refresh token, you may lock out your test account.
  • Mobile-specific OAuth: Mobile apps use custom URI schemes for OAuth redirects, which can be intercepted by malicious apps registered for the same scheme.
  • 速率限制掩盖问题:API可能会对测试请求进行速率限制。在请求之间添加延迟,先从测试者的授权视角进行测试。
  • 令牌出现在URL中:部分移动API在URL查询参数中传递令牌,会将其暴露在服务器日志和浏览器历史中。即使授权正常工作,也应将其标记为问题。
  • 刷新令牌轮换:部分API每次使用时都会轮换刷新令牌。如果测试导致刷新令牌失效,可能会锁定测试账户。
  • 移动专属OAuth:移动应用使用自定义URI scheme进行OAuth重定向,恶意应用注册相同scheme后可能会拦截重定向。