:VGOHU &KHFNIRURFXPHQWDWLRQ :6'/ ZVGORUVLQJOH:VGO 6RDS8 ...
[Pages:1]MindAPI
Reconnaissance Testing
Identify architecture
Architecture Documentation
REST APIs GraphQL
RESTful OData
SOAP
Transfered data in XML format
XML-RPC
Transfered data in simpler XML format David
JSON-RPC
Transfered data similar to XML-RPC but in JSON format {"users":[{"firstName":"David"}]
Accept request header
gRPC-Protobuf
Identify grpc
Content-Type request header Access-control-expose-headers in the response header
Swagger
OData
/$metadata
Check for documentation
Automatic Manual
Traffic Analysis
Wayback Machine Path Manipulation
WADL
/application.wadl /application.wadl?detail=true
/api/application.wadl
wsdl-wizard
WSDL
?wsdl or ?singleWsdl
SoapUI
Wsdler
GraphQL
site:target.tld intitle:api | developer
Burp CE
REST
ZAP
mitmproxy
Burp CE
OData
ZAP
mitmproxy
GraphQL
Burp CE ZAP
SOAP
Burp CE
XML-RPC
Burp CE mitmproxy
JSON-RPC
Burp CE mitmproxy
gRPC-Protobuf
mitmproxy Wireshark
echo HEX_STREAM | xxd -r -p | protoc --decode_raw
protoc
waybackurls
gau
/api/v1
/api/v2
/api/v3
Search for APIs
site:target.tld inurl:api intitle:"index of" "api.yaml" site:target.tld
Google
WADL
inurl:/application.wadl user filetype:wadl ext:wadl
WSDL
user filetype:wsdl
Dorks
ext:wsdl
Odata
inurl:/%24metadata
Github
WADL
WSDL
intitle:"index of" intext:"apikey.txt" site:target.tld
Secrets API Directories
allintext:"API_SECRET*" ext:env | ext:yml site:target.tld
truffleHog
shhgit
GraphQL
Endpoints
Swagger
Other
WADL
ffuf
ffuf -w wordlists/WORDLIST -u
Enumerate endpoints / methods
Amass
amass enum -active -d TARGET.TLD -config /root/amass/config.ini
nuclei
nuclei -target TARGET.TLD -t exposures/apis/
Jaeles
jaeles scan -s /jaeles-signatures/sensitive/swagger-ui-probing.yaml -u TARGET.TLD
Tools
Arjun
arjun -u
ParamSpider param-miner
python3 paramspider.py --domain TARGET.TLD
TnT-Fuzzer
tntfuzzer --url --iterations 100 --log_all
Kiterunner
kr scan TARGET.TLD -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
Supported Content Types
Play with request URL
Requested resource extension e.g. replacing .json by .xml Query string e.g. replacing ?json by ?xml or ?format=json by ?format=xml
Play with Content-Type request header and payload
Without Content-Type , submit either , json xml , ... Changing Content-Type and payload accordingly
Sequential
Understand the pattern
Encoded
Other
Next value
Previous value
Endpoint receives an ID?
Change
Data Type
Is it a number? Change it to a string Is it a string? Change it to a number
Method -> GET to POST
Tamper
Duplicate
?id=1&id=2
Add as an array
?id[]=1&id[]=2
Broken Object Level Authorization
Check the response
Wildcard
GET /users/id -> GET /users/*
Identify other deployments (hosts) of your target API
cross-deployments IDs
Enumerate resources IDs (often non- numerical/sequential ones)
Astra
Test those IDs on your target API host
apidor
REST APIs
AuthMatrix Autorize
Tools
Auth Analyzer Susanoo
GraphQL
InQL
URL sensitive data
Passwords Tokens
Login
Brute force attacks
Forget Password
Test
Forget Username
Authenticity of tokens Strength
Changing Password Registration
Plain text
Password
Type
Weak encryption
Weak hash algorithm
API Keys
Predictable Weak hash algorithm
Test JWT secret brute-forcing
jwt_tool jwt_cracker jwtcat
apicheck
Broken Authentication
Abusing JWT Public Keys Without knowing the Public Key jwt.io
rsa_sig2n
JWT
Test if algorithm could be changed
jwtcat apicheck JSON Web Token Attacker
Test token expiration time (TTL, RTTL)
Test if sensitive data is in the JWT
jwt.io
Check for Injection in "kid" element
Check for time constant verification for HMAC
?redirect_uri=
Check that keys and secrets are different between ENV
?redirect_uri=
Common issues
?redirect_uri=
?redirect_uri=
Types of Authentication
Test redirect_uri
Open redirects XSS
?redirect_uri= ?redirect_uri=
Test the existence of response_type=token
Fuzz
?redirect_uri=? ?redirect_uri=
OAuth
Missing state parameter?
CSRF
Generate a valid authorization_code and don't use it
Send the crafted CSRF page to TARGET
Testing state
Predictable state parameter?
Is state parameter being verified?
If you revocate access, will code be also revocated?
Basic Auth
Check if the API returns full data objects from database with sensitive data
apicheck
Excessive Data Exposure
Compare client data with the API response to check if the filtering is done by client side Burp CE
Sniff the traffic to check for sensitive data returned by the API
ZAP
Execution timeouts
Regexploit
mitmproxy
Test brute-force attacks
Max allocable memory
Number of file descriptors
Lack of Resources & Rate Limiting
Number of processes
racepwn Race The Web
Request payload size (e.g. uploads) Number of requests per client/resource
Astra API Fuzzer
Number of records per page to return in a single request response
API Fuzzer
Can a regular user access administrative endpoints? (MindAPI recon can help you here)
Broken Function Level Authorization
Testing different HTTP methods (GET, POST, PUT, DELETE, PATCH) will allow level escalation?
Enumerate/Bruteforce endpoints for getting unauthorized requests (MindAPI recon can help you here)
API documentation (Reconnaissance)
Desktop
Inspect available API clients' network traffic
Mobile
Enumerate object properties
Exercise data retrieval endpoints
Web watch-out for -like parameters ?include=user.addresses,user.cards
Guessing, based on API context
Uncover hidden properties
Reverse engineering available API clients
Mass Assignment
Fuzzing
GraphQL
One additional property at a time
ShapeShifter (demo)
Include augmented objects
Possible combinations of properties
All enumerated properties at once
Craft request payloads
Vary properties data types/values
Number, String, Array, Object State values: to-do -> in-progress -> done (keep in mind possible state transitions)
Test different operation types
Create Update
The latest security patches are missing, or the systems are out of date.
Can you use other HTTP verbs?
Test if Transport Layer Security (TLS) is missing
testssl
Test for security headers
API Fuzzer
Security Misconfiguration
CORS is well configured?
Astra API Fuzzer
Force an error to see if any sensitive information is exposed
Introspection Query and/or GraphiQL is enabled
GraphQL
GraphQL server provides fields name hints Query batching is enabled without limit Unlimited Depth and/or Amount
Astra API Fuzzer
REST APIs
TnT-Fuzzer
Test if user input is validated, filtered, or sanitized by the API
APIFuzzer Susanoo
GraphQL
GraphQLmap
Astra
Injection
REST APIs
API Fuzzer TnT-Fuzzer
Test if client data is used or concat into DB queries, OS commands, etc
APIFuzzer Susanoo
GraphQL
GraphQLmap
Check if incoming data from external systems is validated, filtered, or sanitized by the API
Check for the API documentation (MindAPI recon can help you here)
Improper Assets Management
Hosts inventory is missing or outdated. Integrated services inventory, either first- or third-party, is missing or outdated.
Old or previous API versions are running unpatched.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- single page apps for a object computing
- kubernetes resources reference from the openapi
- publish and share
- swagger yaml to pdf online
- ninja rmm public api v2 0 5 webhooks
- guidance document for abdm compliant hmis lmis
- using the rest api in ansible playbooks und modules
- automatic generation of test cases for rest apis a
- drive new business opportunities through naturally restful
- vgohu khfnirurfxphqwdwlrq 6 zvgoruvlqjoh vgo 6rds8
Related searches
- 6.8 v10 vs 6.2 v8
- 6.2 ford vs 6.8 ford
- macmillan english 6 unit 6 wirksheet student key to correction
- macmillan english 6 unit 6 worksheet student key to correction
- 6 8 v10 vs 6 2 v8
- 6 2 ford vs 6 8 ford
- mark 6 1 6 commentary
- 6 5 vs 6 8 ballistics chart
- 6 6 liters to cubic inches
- dunkin donuts buy 6 get 6 free
- 6 6 prc ammo for sale
- is a 6 6 a1c good