API testing - pentestfunctions/Hacking-For-Beginners GitHub Wiki

Basic Information on Web Services and APIs

Main Topics

1. Web Services (SOAP/XML)

2. REST APIs (JSON)

  • Documentation: Standard documentation is the WADL file.

3. GraphQL

  • Labs:
    • VAmPI: A vulnerable API with Flask, includes vulnerabilities from OWASP Top 10.

Tricks and Techniques

SOAP/XML

  • Vulnerabilities: Possible XXE, try using CDATA tags for payloads.
  • DTD Declarations: Often disallowed in user input.

Checking Access

  • Test different privilege levels on API endpoints.
  • CORS: Verify CORS configurations for CSRF vulnerabilities.

Patterns and Endpoint Discovery

  • Look for API patterns and try discovering new endpoints.
  • Example: /api/albums/<album_id>/photos/<photo_id> → Try /api/posts/<post_id>/comment/
  • Fuzzing: Use tools to discover new endpoints.

Parameter Manipulation

  • Add or replace parameters in requests.
  • Example: /api/MyPictureList?user_id=<other_user_id>
  • Parameter pollution and wildcard usage.

HTTP Request Methods

  • Experiment with different methods: GET, POST, PUT, DELETE, PATCH.

Request Content-Type Variations

  • Play with x-www-form-urlencoded, application/xml, application/json.
  • Send unexpected data types in JSON.

Route Manipulation

  • Experiment with URL encoding and paths.

Version Checking

  • Test against different API versions for vulnerabilities.
  • Automated Approach: Use Burp's AutoRepeater with replacement rules.

🛡️ API Security Empire Cheat Sheet

  • Author: Momen Eldawakhly (Cyber Guy)
  • Contents: Mindmaps, tips, resources for API Security and Penetration Testing.
  • OWASP Top 10: OWASP API Security Top 10

🚪 Gates to API Security

🚪 First Gate: Recon

  • Tools: BurpSuite, FFUF, Arjun, Postman, SecLists, FuzzDB, SoapUI, GraphQL Voyager, Kiterunner, unfurl
  • Labs for Practice: vapi, Generic-University

🚪 Second Gate: Attacking

Tools for API Testing and Exploitation

⚠️ **GitHub.com Fallback** ⚠️