API Pentesting
Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways.
Search for API patterns inside the api and try to use it to discover more. If you find /api/albums/<album_id>/photos/<photo_id> you could try also things like /api/posts/<post_id>/comment/. Use some fuzzer to discover this new endpoints.
Something like the following example might get you access to another user’s photo album: /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>
You can try to fuzz parameters or use parameters you have seen in a different endpoints to try to access other information
For example, if you see something like: /api/albums?album_id=<album id>
You could replace the album_id parameter with something completely different and potentially get other data: /api/albums?account_id=<account id>
/api/account?id=<your account id> → /api/account?id=<your account id>&id=<admin's account id>
Try to use the following symbols as wildcards: *, %, _, .
/api/users/*
/api/users/%
/api/users/_
/api/users/.
You can try to use the HTTP methods: GET, POST, PUT, DELETE, PATCH, INVENTED to try check if the web server gives you unexpected information with them.
Try to play between the following content-types (bodifying acordinly the request body) to make the web server behave unexpectedly:
x-www-form-urlencoded --> user=test
application/xml --> <user>test</user>
application/json --> {"user": "test"}
If JSON data is working try so send unexpected data types like:
{"username": "John"}
{"username": true}
{"username": null}
{"username": 1}
{"username": [true]}
{"username": ["John", true]}
{"username": {"$neq": "lalala"}}
any other combination you may imagine
If you can send XML data, check for XXE injections.
If you send regular POST data, try to send arrays and dictionaries:
username[]=John
username[$neq]=lalala
/files/..%2f..%2f + victim ID + %2f + victim filename
Old versions may be still be in use and be more vulenrable than latest endpoints
/api/v1/login/api/v2/login/api/CharityEventFeb2020/user/pp/<ID>/api/CharityEventFeb2021/user/pp/<ID>
Read this document to learn how to search and exploit Owasp Top 10 API vulnerabilities: https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf
https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d
https://github.com/imperva/automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
https://github.com/flipkart-incubator/Astra: Another tool for api testing
