Source: DeviantArt (Streamweb)

All That We Let In: Hacking mHealth Apps and APIs (Part 2)

Alissa Knight
11 min readDec 1, 2020

Introduction

Have you noticed recently that the number of API breaches seem to be rising, not ebbing? You’re not alone. As a matter of fact, the number of API breaches have been going up exponentially and it’s only getting worse as we move into 2021.

In part 1 of our series, I introduced my mHealth app and API vulnerability research and unveiled the trailer for this research.

In this part, I walk you through configuring your tools and performing the techniques I use in targeting and exploiting mHealth apps and APIs in my research campaign and unveil some of the findings from my research.

Many of the vulnerabilities found and exploited during the network interdiction stage of the research are classified as Broken Object Level Authorization (BOLA) vulnerabilities, once referred to as Insecure Direct Object Reference (IDOR) vulnerabilities. I’ll explain further below, but in summary, this is exploitation of vulnerabilities found in authentication and authorization of established sessions between the…

--

--

Alissa Knight
Alissa Knight

Written by Alissa Knight

Hacker | Cybersecurity Content Creator | Influencer | Published Author