Web API Pentesting
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:
Pentesting APIs involves a structured approach to uncovering vulnerabilities. This guide encapsulates a comprehensive methodology, emphasizing practical techniques and tools.
SOAP/XML Web Services: Utilize the WSDL format for documentation, typically found at ?wsdl
paths. Tools like SOAPUI and WSDLer (Burp Suite Extension) are instrumental for parsing and generating requests. Example documentation is accessible at DNE Online.
REST APIs (JSON): Documentation often comes in WADL files, yet tools like Swagger UI provide a more user-friendly interface for interaction. Postman is a valuable tool for creating and managing example requests.
GraphQL: A query language for APIs offering a complete and understandable description of the data in your API.
VAmPI: A deliberately vulnerable API for hands-on practice, covering the OWASP top 10 API vulnerabilities.
SOAP/XML Vulnerabilities: Explore XXE vulnerabilities, although DTD declarations are often restricted. CDATA tags may allow payload insertion if the XML remains valid.
Privilege Escalation: Test endpoints with varying privilege levels to identify unauthorized access possibilities.
CORS Misconfigurations: Investigate CORS settings for potential exploitability through CSRF attacks from authenticated sessions.
Endpoint Discovery: Leverage API patterns to discover hidden endpoints. Tools like fuzzers can automate this process.
Parameter Tampering: Experiment with adding or replacing parameters in requests to access unauthorized data or functionalities.
HTTP Method Testing: Vary request methods (GET, POST, PUT, DELETE, PATCH) to uncover unexpected behaviors or information disclosures.
Content-Type Manipulation: Switch between different content types (x-www-form-urlencoded, application/xml, application/json) to test for parsing issues or vulnerabilities.
Advanced Parameter Techniques: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
Version Testing: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
kiterunner: Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
Additional tools like automatic-api-attack-tool, Astra, and restler-fuzzer offer tailored functionalities for API security testing, ranging from attack simulation to fuzzing and vulnerability scanning.
Cherrybomb: It's an API security tool that audit your API based on an OAS file(the tool written in rust).
OWASP API Security Top 10: Essential reading for understanding common API vulnerabilities (OWASP Top 10).
API Security Checklist: A comprehensive checklist for securing APIs (GitHub link).
Logger++ Filters: For hunting API vulnerabilities, Logger++ offers useful filters (GitHub link).
API Endpoints List: A curated list of potential API endpoints for testing purposes (GitHub gist).
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)