hacktricks/pentesting/pentesting-web/api-pentesting.md

# API Pentesting

## Tricks

### Public and private endpoints

Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.

### Patterns

Search for API patterns inside the api and try to use it to discover more.  
If you find  _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like  _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.

### Add parameters

Something like the following example might get you access to another user’s photo album:  
_/api/MyPictureList → /api/MyPictureList?**user\_id=<other\_user\_id>**_

### Replace parameters

You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information

For example, if you see something like: _/api/albums?**album\_id=<album id>**_

You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_

### Parameter pollution

 /api/account?**id=<your account id>** →  /api/account?**id=<your account id>&id=<admin's account id>**

### Wildcard parameter

Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**

*  /api/users/\*
* /api/users/%
* /api/users/\_
* /api/users/.

### HTTP requet method change

You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.

### Request content-type

Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly:

* **x-www-form-urlencoded** --> user=test
* **application/xml** -->  <user>test</user>
* **application/json** -->  {"user": "test"}

### Parameters types

If **JSON** data is working try so send unexpected data types like:

* {"username": "John"}
* {"username": true}
* {"username": null}
* {"username": 1}
* {"username": \[true\]}
* {"username": \["John", true\]}
* {"username": {"$neq": "lalala"}}
* any other combination you may imagine

If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).

If you send regular POST data, try to send arrays and dictionaries:

* username\[\]=John
* username\[$neq\]=lalala

### Play with routes

`/files/..%2f..%2f + victim ID + %2f + victim filename`

### Check possible versions

Old versions may be still be in use and be more vulenrable than latest endpoints

* `/api/v1/login`
* `/api/v2/login` 
*  `/api/CharityEventFeb2020/user/pp/<ID>`
*  `/api/CharityEventFeb2021/user/pp/<ID>`

## Owasp API Security Top 10

Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)

## API Security Checklist

{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}

## List of possible API endpoints

[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)

## Tools

[https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

[https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing