hacktricks/pentesting/pentesting-web/api-pentesting.md
2021-03-05 12:03:56 +00:00

102 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# API Pentesting
## Tricks
### Public and private endpoints
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
### Patterns
Search for API patterns inside the api and try to use it to discover more.
If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
### Add parameters
Something like the following example might get you access to another users photo album:
_/api/MyPictureList → /api/MyPictureList?**user\_id=<other\_user\_id>**_
### Replace parameters
You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information
For example, if you see something like: _/api/albums?**album\_id=<album id>**_
You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_
### Parameter pollution
/api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>**
### Wildcard parameter
Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**
* /api/users/\*
* /api/users/%
* /api/users/\_
* /api/users/.
### HTTP requet method change
You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.
### Request content-type
Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly:
* **x-www-form-urlencoded** --> user=test
* **application/xml** --> <user>test</user>
* **application/json** --> {"user": "test"}
### Parameters types
If **JSON** data is working try so send unexpected data types like:
* {"username": "John"}
* {"username": true}
* {"username": null}
* {"username": 1}
* {"username": \[true\]}
* {"username": \["John", true\]}
* {"username": {"$neq": "lalala"}}
* any other combination you may imagine
If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
If you send regular POST data, try to send arrays and dictionaries:
* username\[\]=John
* username\[$neq\]=lalala
### Play with routes
`/files/..%2f..%2f + victim ID + %2f + victim filename`
### Check possible versions
Old versions may be still be in use and be more vulenrable than latest endpoints
* `/api/v1/login`
* `/api/v2/login`
* `/api/CharityEventFeb2020/user/pp/<ID>`
* `/api/CharityEventFeb2021/user/pp/<ID>`
## Owasp API Security Top 10
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
## API Security Checklist
{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}
## List of possible API endpoints
[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
## Tools
[https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
[https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing