hacktricks/network-services-pentesting/pentesting-web/web-api-pentesting.md

98 lines
7.6 KiB
Markdown
Raw Normal View History

2022-05-16 08:29:00 +00:00
# Web API Pentesting
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
2024-11-05 18:01:43 +00:00
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:24:39 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
2022-06-06 22:28:05 +00:00
2024-05-05 17:56:05 +00:00
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=web-api-pentesting) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2023-01-01 16:19:07 +00:00
Get Access Today:
2022-06-06 22:28:05 +00:00
2024-04-25 13:58:01 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=web-api-pentesting" %}
2022-06-06 22:28:05 +00:00
2024-02-08 21:36:15 +00:00
## API Pentesting Methodology Summary
2021-06-08 18:47:44 +00:00
2024-02-08 21:36:15 +00:00
Pentesting APIs involves a structured approach to uncovering vulnerabilities. This guide encapsulates a comprehensive methodology, emphasizing practical techniques and tools.
2024-02-08 21:36:15 +00:00
### **Understanding API Types**
2022-12-21 10:38:32 +00:00
* **SOAP/XML Web Services**: Utilize the WSDL format for documentation, typically found at `?wsdl` paths. Tools like **SOAPUI** and **WSDLer** (Burp Suite Extension) are instrumental for parsing and generating requests. Example documentation is accessible at [DNE Online](http://www.dneonline.com/calculator.asmx).
* **REST APIs (JSON)**: Documentation often comes in WADL files, yet tools like [Swagger UI](https://swagger.io/tools/swagger-ui/) provide a more user-friendly interface for interaction. **Postman** is a valuable tool for creating and managing example requests.
* **GraphQL**: A query language for APIs offering a complete and understandable description of the data in your API.
2024-02-08 21:36:15 +00:00
### **Practice Labs**
* [**VAmPI**](https://github.com/erev0s/VAmPI): A deliberately vulnerable API for hands-on practice, covering the OWASP top 10 API vulnerabilities.
2024-02-08 21:36:15 +00:00
### **Effective Tricks for API Pentesting**
* **SOAP/XML Vulnerabilities**: Explore XXE vulnerabilities, although DTD declarations are often restricted. CDATA tags may allow payload insertion if the XML remains valid.
* **Privilege Escalation**: Test endpoints with varying privilege levels to identify unauthorized access possibilities.
* **CORS Misconfigurations**: Investigate CORS settings for potential exploitability through CSRF attacks from authenticated sessions.
* **Endpoint Discovery**: Leverage API patterns to discover hidden endpoints. Tools like fuzzers can automate this process.
* **Parameter Tampering**: Experiment with adding or replacing parameters in requests to access unauthorized data or functionalities.
* **HTTP Method Testing**: Vary request methods (GET, POST, PUT, DELETE, PATCH) to uncover unexpected behaviors or information disclosures.
* **Content-Type Manipulation**: Switch between different content types (x-www-form-urlencoded, application/xml, application/json) to test for parsing issues or vulnerabilities.
* **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
* **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
2024-02-08 21:36:15 +00:00
### **Tools and Resources for API Pentesting**
2024-04-16 03:52:03 +00:00
* [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
2024-02-08 21:36:15 +00:00
```bash
kr scan https://domain.com/api/ -w routes-large.kite -x 20
kr scan https://domain.com/api/ -A=apiroutes-220828 -x 20
kr brute https://domain.com/api/ -A=raft-large-words -x 20 -d=0
kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
```
2024-11-05 18:01:43 +00:00
* [**https://github.com/BishopFox/sj**](https://github.com/BishopFox/sj): sj is a command line tool designed to assist with auditing of **exposed Swagger/OpenAPI definition files** by checking the associated API endpoints for weak authentication. It also provides command templates for manual vulnerability testing.
* Additional tools like **automatic-api-attack-tool**, **Astra**, and **restler-fuzzer** offer tailored functionalities for API security testing, ranging from attack simulation to fuzzing and vulnerability scanning.
2024-04-16 03:52:03 +00:00
* [**Cherrybomb**](https://github.com/blst-security/cherrybomb): It's an API security tool that audit your API based on an OAS file(the tool written in rust).
2024-02-08 21:36:15 +00:00
### **Learning and Practice Resources**
2022-09-30 10:27:15 +00:00
* **OWASP API Security Top 10**: Essential reading for understanding common API vulnerabilities ([OWASP Top 10](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)).
* **API Security Checklist**: A comprehensive checklist for securing APIs ([GitHub link](https://github.com/shieldfy/API-Security-Checklist)).
* **Logger++ Filters**: For hunting API vulnerabilities, Logger++ offers useful filters ([GitHub link](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters)).
* **API Endpoints List**: A curated list of potential API endpoints for testing purposes ([GitHub gist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)).
2022-09-05 10:17:20 +00:00
2024-02-08 21:36:15 +00:00
## References
2022-09-05 10:17:20 +00:00
* [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
2022-04-28 16:01:33 +00:00
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
2022-06-06 22:28:05 +00:00
2024-05-05 17:56:05 +00:00
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=web-api-pentesting) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2023-01-01 16:19:07 +00:00
Get Access Today:
2022-06-06 22:28:05 +00:00
2024-04-25 13:58:01 +00:00
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=web-api-pentesting" %}
2022-06-06 22:28:05 +00:00
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
2024-11-05 18:01:43 +00:00
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:24:39 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}