Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting/pentesting-web/web-api-pentesting.md

113 lines
4.6 KiB
Markdown
Raw Normal View History

GitBook: [master] 4 pages modified
2021-06-08 18:47:44 +00:00
# Web API Pentesting
## Basic Information
Main:
* **Web Services \(SOAP/XML\)**
* The documentation uses WSDL format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
* An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) \(WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)\) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add)
* **REST APIs \(JSON\)**
* The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) \(check the demo in the page\)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
## Tricks
GitBook: [master] 6 pages and 3 assets modified
2021-03-04 11:40:50 +00:00
### Public and private endpoints
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
### Patterns
Search for API patterns inside the api and try to use it to discover more.
If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
### Add parameters
Something like the following example might get you access to another users photo album:
_/api/MyPictureList → /api/MyPictureList?**user\_id=<other\_user\_id>**_
### Replace parameters
You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information
For example, if you see something like: _/api/albums?**album\_id=<album id>**_
You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_
### Parameter pollution
/api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>**
GitBook: [master] one page modified
2021-03-04 11:50:43 +00:00
### Wildcard parameter
Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**
* /api/users/\*
* /api/users/%
* /api/users/\_
* /api/users/.
GitBook: [master] 6 pages and 3 assets modified
2021-03-04 11:40:50 +00:00
### HTTP requet method change
You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.
### Request content-type
Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly:
* **x-www-form-urlencoded** --> user=test
* **application/xml** --> <user>test</user>
* **application/json** --> {"user": "test"}
GitBook: [master] one page modified
2021-03-04 11:50:43 +00:00
### Parameters types
If **JSON** data is working try so send unexpected data types like:
* {"username": "John"}
* {"username": true}
GitBook: [master] one page modified
2021-03-05 12:03:56 +00:00
* {"username": null}
GitBook: [master] one page modified
2021-03-04 11:50:43 +00:00
* {"username": 1}
* {"username": \[true\]}
* {"username": \["John", true\]}
* {"username": {"$neq": "lalala"}}
* any other combination you may imagine
If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
If you send regular POST data, try to send arrays and dictionaries:
* username\[\]=John
* username\[$neq\]=lalala
GitBook: [master] 6 pages and 3 assets modified
2021-03-04 11:40:50 +00:00
### Play with routes
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
`/files/..%2f..%2f + victim ID + %2f + victim filename`
GitBook: [master] 6 pages and 3 assets modified
2021-03-04 11:40:50 +00:00
### Check possible versions
Old versions may be still be in use and be more vulenrable than latest endpoints
* `/api/v1/login`
* `/api/v2/login`
* `/api/CharityEventFeb2020/user/pp/<ID>`
* `/api/CharityEventFeb2021/user/pp/<ID>`
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
## Owasp API Security Top 10
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
## API Security Checklist
{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}
## List of possible API endpoints
[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
## Tools
[https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
[https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing
Reference in a new issue Copy permalink