API Pentesting
Mindmap
{{Recon}}
V1
V2
API Version Discovery
V3
Import the API environment,
documentation and collections
etc
Product / open source
Link BurpSuite proxy with Postman
API Implementation Discovery
Custom API Implementation
Activate the API environment
Discovering authentication systems,
server's headers and requests
parameters body
RESTful [Most common]
Postman
These two steps should handle every
function in the recon method together
API Type Discovery
SOAP [Very rare]
GraphQL [Newcomer]
OTP
login
Identifying authentication's
endpoints.
WADL for RESTful API
Local
etc
Analyzing JS code, like the JSON in
the Tests tab
etc
API Documentations
GET
SoapUI
POST
HTTP Methods Discovery
Link BurpSuite proxy with Postman
PATCH
PUT
Intercept and monitor every
request / response
DELETE
Run the content discovery on the API
seeking for additional endpoints,
actions and objects
Analyze request & response headers
and parameters
Any public documentation for API like the open source
APIs
Public
Importing WADL / WSDL file initially
or using the Application's URL
Analyze endpoint behaviors using
the endpoint explorer
WSDL for SOAP API
WADL
Endpoints gathering through local
docs
Reconnaissance
BurpSuite
Manipulate the request headers and
monitor the server's actions to the
manipulations
WSDL
etc
the endpoints which requires authentication and other publicly
accessible.
Weaponizing
Cookie based (non-standard)
Authentication / Authorization
methods
Run the JavaScript scans to analyze
JavaScript files in order to
understand the API infrastructure
Authentication &
Authorization
Header based (standard)
JWT (JSON Web Token)
Endpoints
Encrypted value
Objects
Fuzzing points
Arbitrary value to save the user's state
Identification handlers
Methods / Actions
Encoded Serialized value
Link it with Burp in order to extend
your sitemap range
Fuzzing
FFUF
Encrypted Serialized value
Hashed user value
BurpSuite Intruder
Link it with Burp in order to extend your
endpoints parameter range
(Vary from target to another)
Tools
Comparing docs
Arjun
API Fuzzing
SecLists
Actions AKA Methods
Objects
FuzzDB
Using wayback machine
Mapping the API's request & response
body and headers.
Behavior mapping
Wordlists
Identify the job of every API method
[It's vary from API to another]
Using the API docs
Source Code Reviewing
Compare the local & public API documentations seeking for hidden functions, methods
or endpoints.
Endpoints
Analyze the arjun output to check for
the possible vulnerable parameter
e.g: JavaScript
e.g: hashed username, user ID
Swagger API
Generating Custom Wordlist
API Visualization tools / interfaces
discovery
Organization's github repository if
exists
Custom Implementations
etc
The source code of API product
- if it was open source -
e.g: /api/{{products}}/122/edit
Enumerate resources
RESTful API enumeration
Enumerate objects
e.g: enumerate object identifiers: /
api/users/{{1}}/edit
In this phase you should concentrate
more in the response headers, response
length and application's behaviors
Could be found in PayloadAllTheThings
Introspection query enumerating
Enumeration
GraphQL API enumeration
Our aim of making this is to retrieve
every query that can be run in the
database and it's parameters
GraphQL Voyager
Visual representation tools
Kiterunner
Tools
unfurl
API scanner for endpoints and content
discovery.
Extracting paths from URL lists, this will
help in generating custom wordlists
phase.
It will show us the visual representation
of GraphQL which made use able to
analyze the GraphQL in a deep and
accurate way
parameter's value
URL object
PDFs
some web apps put the
user's attachments names
like their IDs in the application
e.g: 12.pdf
Docs
Downloadable resources
User identifiers
Invoices
etc
National IDs
Personal docs
Some web apps requires uploading
personal docs to register on them, and the
user should have access to his docs, and
these docs some times also named with it'
s owner ID.
Passports
etc
Checking every function having
Transaction objects / Identifiers
as a value in parameters
as an object in the URL
Usernames
certificates
Downloadable resources
In addition to the types mentioned in the
User identifiers section, in usernames also
these docs might have usernames as a
names for the files. e,g: cyberguy_10.csv
licenses
medical documents
etc {{based on application's logic}}
Some times the user's username being
hashed and used as a value for
authorization, you can exploit this by
guessing the application's usernames and
hash them
Hashed sessions / cookies
Serialized sessions / cookies
Authenticators of the application
Authorization headers / cookies
Check for:
Encoded sessions / cookies
Some cookies are encrypted with
symmetric encryption, so if you were able
to achieve the private key by some way
you will be able to decrypt the cookie and
change it's value
Encrypted cookies
Some developers defines the user's
state when accessing a resource based on
server's responses, for example.
{
"authorized":true,
"uID": 122
}
resource accessing behaviours
Manipulation
Manipulate the privilege or user's state from the
server's responses
OTP stored in some endpoint
Leaks
Generated by the API using some method
Pre-authentication
OTP
Changing the values from true to false
or it's logical representatives. e.g: {"OTP": 1} and
number 1 here refers to true.
Manipulation
Some applications decided the identity of
the user through the server's responses,
we can manipulate the JSON response for
example and the dynamic generated
content will be loaded for the injected
email.
2FA Process to access
specific user content
Remote authorization
Broken object-level access
Application's responses
Dynamic application responses
OTP Endpoints
While accessing particular sensitive / critical
resource in an application, some application
requires remote authorization to proceed.
Some panels requires
remote authorization from
mobile apps for example, thus
we can manipulate the response
to bypass into the user's content.
e.g:
{
"authorization_done":true,
"resource_id": 120
}
etc
Login Endpoints
email
CVV / PIN
username
Lack of resources and rate limiting
Internal resource spoofing
Referer manipulation
Manipulation
Authenticated
id
identifier's manipulate
National Security Number
Bypasses
Phone number
IP Range spoofing
confidential / personal info
Passport Number
etc
etc
Numeric identifiers
e.g:
/api/v1/admin/delete?resource_id=
/api/v1/admin/update?resource_id=
/api/v1/admin/post?resource_id=
API Methods
Pre-generation attacks
Spoofable Identifiers
e.g: /api/v1/users/getToken/12
e.g: /api/v1/users/getToken/13
Gradually identifiers
1. e.g: /api/v1/users/getToken/username12
2. e.g /api/v1/users/getToken/username13
Alphanumeric identifiers
Some applications the behaviors of
deleting, adding or updating info's is
normal, so these considered as
vulnerabilities based on your application
logic.
DELETE
Changing value in back-end will be used to
generate QR Code later to retrieve data.
e.g:
{
"username":"someUser",
"user_id":12,
"action":"getToken"
}
Administrative functions
PATCH
QR Code Attacks
HTTP Verbs
PUT
etc [based on your case]
etc
Dynamic attacks
Real-time applications
Response based
Anonymous user access to functions requires
authenticated users
Improper authorizations
Anonymous user access to functions retrieves
authenticated users data
Changing value in back-end will be used to
generate QR Code later to perform action.
e.g:
{
"username":"someUser",
"user_id":12,
"action":"loginAuthorize"
}
etc
etc
etc
Broken function level authorization
When accessing some endpoints under
the 'admin' endpoint, some times can
retrieve sensitive info
e.g:
/api/v1/users/info?uID=1
/api/v1/admin/users/info?uID=1
Captcha reuse
Weak captcha
Verbs & Endpoints manipulations
Here some applications blocks the
integers identifiers except the current
userID, but if you put something like: 'all'
can retrieve the whole application's users
info's
Captcha Attacks
e.g:
/api/v1/users/?id=myID
/api/v1/users/all
Exploiting ordinary functions trying to
access internal resources via LFD for
example
e.g:
/api/v1/Ajax/resource?url=/end/point
/api/v1/Ajax/resource?url=../..//etc/passwd
Turning the normal resource grabber into
SSRF vulnerable machine made you able
to perform SSRF attacks and it's contexts
e.g:
/api/v1/Ajax/resource?url=/end/point
/api/v1/Ajax/resource?url=http://127.0.0.1
Captcha implementation
without using
Unauthorized access to
captcha generation endpoint
Insufficient cooldown timing
could be used to
autofill captcha
allows brute-forcing attacks
Leaked in public compromised databases
Exploit endpoints for possible internal access
Credentials stuffing
OSINT based credentials on the target
e.g:
/api/v1/Ajax/PUT?url=/user/profile/pic
/api/v1/Ajax/PUT?url=http://127.0.0.1/shell.ext
Execute functions into internal resources
admin:admin
etc
Api Pentesting
Mindmap
{{Attacking}}
env
test
example
Weak credentials
Weak authentication security
design
administrator:administrator
High Privilege defaults
root:toor
etc
Default credentials
guest:guest
publicly accessible productions
test:test
branches
Low / custom privilege defaults
old releases
user:user
Use of non-production resources which in most
cases not protected to attack the production
resources
etc
Improper assets management
etc
Sending data in GET Request / URLs
heapdump
dump
e.g: springboot
Default endpoints which automatically enables
with some frameworks
Weak encryption mechanism
Insecure transmission of
sensitive data
etc
Weak encryption keys
Sending data in plain text
Price manipulation
Amount manipulation
Business attack
Manipulate server's responses to bypass the
authentication mechanism in the dynamic
applications.
Response manipulation
Currency manipulation
etc
Weak API keys
Deletion of resources
Manipulating resources
Broken User Authentication
Privilege escalation
e.g: {"is_admin":true}
In some applications this allows the user
to change it's password without
restrictions / versification
Mass Assignment
Improper API rotating
Executing high privilege functions with low
privilege access token.
Insecure implementation of
authentication logic
email verification
Bypass restrections
e.g: {"default_pass":true}
Use of leaked API Keys
Privilege attack
etc
e.g: {"verified":true}
API Keys attacks
default password enable
Access token attacks
Improper access token validations
Access other user's content / data with the
attacker's access token.
etc
etc
Weak secret
SQL Injection
NoSQL Injection
Lack of JWT verification (any token will be
accepted)
Token based attacks
LDAP Injection
JWT attacks
Injection
Weak algorithm
e.g: [none] algorithm
OS Command Injection
Signature bypass
XML Injection
etc.
etc
Timing attacks
CORS misconfiguration
e.g: ASP.NET stack trace
e.g: S3 Buckets
Attacking various authentication systems
Stack Traces
Outdated systems
e.g: kid injection + SQL Injection
Security misconfiguration
Profiling systems
non-expiring JWTs, access tokens and sessions
The authentication systems vary from
application to another, so there is no standard
method to break them, it based on your creative
ability :)
e.g: /api/clients/show?id=13
Exposed storage or server management panels
Information retrieval systems
e.g: /api/orders/show?order_id=202
etc
Here the (BOLA) will be a part of the
attack to make the application's return
sensitive info [which isn't required but the
application retrieve it]
Comments endpoint
Excessive Data Exposure
Messages endpoint
Communicative systems
Notifications endpoint
etc
Logging endpoints
etc
some applications returns more than the
required data, thus the attacker can
access sensitive info's like CVV, location,
National Security Numbers ...etc.
With the applications generates QR Codes
for authentication / authorization actions,
we can exploit these misconfigs before
generation to decode the QR Code after
generation then, take other users access_
tokens for example.
If you was able to control mutations
then you might be able to modify /
control data in server-side
Organization's github
API documentation in the application
API's documentation
Open source project with public documentation
Local documentation
etc
/graphql
Extract mutations according to the type in
introspection system
/graphiql
Common endpoints
Schema analysis
/graph
/explorer
Some times it being
left in the wild, so an attacker can get
benefit from them, it makes the query
implementation easier
GraphQL Playground
Common GraphQL IDEs
Application's behavior analysis
GraphiQL
etc
API Pentesting
Mindmap
{{GraphQL Attacking}}
Endpoint discovery
Modifying item's price
etc
Both of them can be found at SecLists
GraphQl wordlist
etc
Enumerating the whole schema then hunting
the mutations
Modifying item
PII data
Adding item
Financial data
Data retrieval
Item deletion
etc
Getting started with queries
Enumeration
Getting started with mutations
Basic enumeration
Enumerate schema fields, types and names
Deep enumeration
Enumerate the whole database schema
Query syntax
Mutations exploit
Queries exploit
etc
Brute force more than single credentials
through one query due to the nested queries
Deleting resource
etc
Query parameters / Arguments
Business logic attacks
Sessions / Cookies Retrievals
If the targets stores sessions / cookies in the
application's database, attacker can retrieve
them and inject through request to gain access
in user's account
etc
nodes
Analyzing schema
Multiple brute forcing
Modifying resource
Profiling systems
Arguments structure
Number of arguments
Possible mutations functions
Restrictions bypasses
Logging systems
Business systems
etc
e.g: Adding items to purchased section, then
confirm the orders and finally exploited without
executing the checkout function
Adding / Removing items from other users
accounts
Authentication attacks
Adding files / attachments
Both of them got payloads in
payloadAllTheThings
Bypassing checkouts
Internal data
Users managements
edges
Mutations
etc
Exploit mutations for:
Data types
Modifying item's currency
e.g: items cart
etc
e.g: Account locking bypassing if the
application for example got a mutation called:
unlock() and it takes argument for the id,
simply the attacker can unlock it's account like
this: unlock(id: 1) after that the attacker will be
able to login again