├── Intro.md
├── LICENSE
├── Learning.md
└── README.md


/Intro.md:
--------------------------------------------------------------------------------
1 | 
2 | - [What is API](https://aws.amazon.com/what-is/api/)
3 | - [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x00-header/)
4 | 
5 | 
6 | 
7 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 Aftab Sama
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Learning.md:
--------------------------------------------------------------------------------
 1 | ## Tools
 2 | 
 3 | - https://github.com/ticarpi/jwt_tool
 4 | - https://github.com/assetnote/kiterunner
 5 | - https://github.com/s0md3v/Arjun
 6 | - https://github.com/danielmiessler/SecLists
 7 | - https://github.com/hAPI-hacker/Hacking-APIs
 8 | 
 9 | ## Your API Hacking Lab
10 | 
11 | ### APIsec.ai has hosted an API hacking lab that you can use to practice your skills.
12 | - crAPI can be found at http://crapi.apisec.ai/
13 | - vAPI can be found at http://vapi.apisec.ai/
14 | 
15 | ### set up your own lab
16 | - https://github.com/OWASP/crAPI
17 | - https://github.com/roottusk/vapi
18 | 
19 | 
20 | 
21 | ## Additional Resources
22 | 
23 | - [The Web Security Academy](https://portswigger.net/web-security): One of the best free online web security training courses on the Internet.
24 | - [APIsecurity.io](https://apisecurity.io/): A weekly newsletter that is a great resource for the latest and greatest API security news. 
25 | - [API Hacking Mind Map](https://dsopas.github.io/MindAPI/) by David Sopas.
26 | - Get involved in the Bug Bounty communities:
27 |   - [Synack](https://www.synack.com/)
28 |   - [BugCrowd](https://www.bugcrowd.com/bug-bounty-list/)
29 |   - [HackerOne](https://www.hackerone.com/)
30 |   - [Intigriti](https://www.intigriti.com/)
31 | - [Insider PhD Everything API Hacking](https://www.youtube.com/playlist?list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol): Katie Paxton-Fear's playlist of all those great API hacking hits.
32 | - [Awesome API Security](https://github.com/arainho/awesome-api-security): All the API security things.
33 | 
34 | ### Courses
35 | - https://university.apisec.ai/
36 | 
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # API-Penetration-Testing
  2 | 
  3 | 
  4 | ## Web API Indicators
  5 | 
  6 | lookout for obvious URL naming schemes:
  7 | 
  8 | - https://target-name.com/api/v1
  9 | - https://api.target-name.com/v1 
 10 | - https://target-name.com/docs
 11 | - https://dev.target-name.com/rest
 12 | 
 13 | Look for API indicators within directory names like:
 14 | 
 15 | /api, /api/v1, /v1, /v2, /v3, /rest, /swagger, /swagger.json, /doc, /docs, /graphql, /graphiql, /altair, /playground
 16 | 
 17 | Also, subdomains can also be indicators of web APIs:
 18 | - api.target-name.com
 19 | - uat.target-name.com
 20 | - dev.target-name.com
 21 | - developer.target-name.com
 22 | - test.target-name.com
 23 | 
 24 | TruffleHog is a great tool for automatically discovering exposed secrets.
 25 | - https://github.com/trufflesecurity/trufflehog
 26 | 
 27 | ## Active API Reconnaissance
 28 | 
 29 | - `nmap -sV --script=http-enum <target> -p 80,443,8000,8080`
 30 | - `amass enum -active -d target-name.com |grep api`
 31 | - The following example uses an API-specific wordlist to find the directories on an IP address:
 32 |   - ` gobuster dir -u target-name.com:8000 -w /home/hapihacker/api/wordlists/common_apis_160 `
 33 | - Kiterunner for discovering API endpoints and resources.
 34 |   - https://github.com/assetnote/kiterunner
 35 |   - ` kr scan HTTP://127.0.0.1 -w ~/api/wordlists/data/kiterunner/routes-large.kite `
 36 | 
 37 | ## Authentication Attacks
 38 | 
 39 | brute-force attacks:
 40 | - creating targeted password lists
 41 |   - https://github.com/sc0tfree/mentalist
 42 |   - https://github.com/Mebus/cupp
 43 | 
 44 | Password Spraying
 45 | - combining a long list of users with a short list of targeted passwords.
 46 | 
 47 | ## JWT Attacks
 48 | 
 49 | JWT.io is a free web JWT debugger
 50 | - https://jwt.io/
 51 | 
 52 | Automating JWT attacks with JWT_Tool
 53 | - https://github.com/ticarpi/jwt_tool/wiki
 54 | 
 55 | ## Exploiting API Authorization
 56 | 
 57 | - Find Resource IDs and Requests
 58 | 
 59 | #### Authorization Testing Strategy:
 60 |   1. Create a UserA account.
 61 |   2. Use the API and discover requests that involve resource IDs as UserA.
 62 |   3. Document requests that include resource IDs and should require authorization.
 63 |   4. Create a UserB account.
 64 |   5. Obtaining a valid UserB token and attempt to access UserA's resources.
 65 | 
 66 | - Try changing request method.
 67 | 
 68 | ## Improper Assets Management
 69 | > Testing for Improper Assets Management is all about discovering unsupported and non-production versions of an API
 70 | 
 71 | - Non-production versions of an API include any version of the API that was not meant for end-user consumption. Non-production versions could include:
 72 |   - api.test.target.com
 73 |   - api.uat.target.com
 74 |   - beta.api.com
 75 |   - /api/private
 76 |   - /api/partner
 77 |   - /api/test
 78 | - Make sure to check out the path, parameters, and headers for any versioning information.
 79 | 
 80 | ## Mass Assignment Attacks
 81 | > Mass Assignment vulnerabilities are present when an attacker is able to overwrite object properties that they should not be able to.
 82 | 
 83 | One of the ways that you can discover mass assignment vulnerabilities by finding interesting parameters in API documentation and then adding those parameters to requests. Look for parameters involved in user account properties, critical functions, and administrative actions.
 84 | 
 85 | Testing Account Registration for Mass Assignment
 86 | - Try adding other key-values to the JSON POST body, such as:
 87 | ```
 88 | "isadmin": true,
 89 | "isadmin":"true",
 90 | "admin": 1,
 91 | "admin": true, 
 92 | ```
 93 | 
 94 | - Fuzzing for Mass Assignment with Param Miner
 95 |   - Right-click on a request that you would like to mine for parameters. Select Extensions > Param Miner > Guess params > Guess JSON parameter. 
 96 | 
 97 | ####  free tools to see request made to url:
 98 | 
 99 | - http://webhook.site/
100 | - http://pingb.in/
101 | - https://requestbin.com/
102 | - https://canarytokens.org/
103 | 
104 | ##  Injection Attacks
105 | 
106 | if the API is expecting a certain type of input (number, string, boolean value) send:
107 | - A very large number
108 | - A very large string
109 | - A negative number
110 | - A string (instead of a number or boolean value)
111 | - Random characters
112 | - Boolean values
113 | - Meta characters
114 | 
115 | #### SQL Injection Metacharacters
116 | 
117 | - SQL metacharacters that can cause some issues:
118 | ```SQL
119 | '
120 | ''
121 | ;%00
122 | --
123 | -- -
124 | ""
125 | ;
126 | ' OR '1
127 | ' OR 1 -- -
128 | " OR "" = "
129 | " OR 1 = 1 -- -
130 | ' OR '' = '
131 | OR 1=1
132 | ```
133 | 
134 | #### NoSQL Injection
135 | 
136 | The following are common NoSQL metacharacters you could send in an API request to manipulate the database:
137 | ```json
138 | $gt 
139 | {"$gt":""}
140 | {"$gt":-1}
141 | $ne
142 | {"$ne":""}
143 | {"$ne":-1}
144 |  $nin
145 | {"$nin":1}
146 | {"$nin":[1]}
147 | {"$where":  "sleep(1000)"}
148 | ```
149 | 
150 | $gt is a MongoDB NoSQL query operator that selects documents that are greater than the provided value. 
151 | 
152 | The $ne query operator selects documents where the value is not equal to the provided value. 
153 | 
154 | The $nin operator is the “not in” operator, used to select documents where the field value is not within the specified array. 
155 | 
156 | #### OS Injection
157 | 
158 | Characters such as the following all act as command separators, which enable a program to pair multiple commands together on a single line.
159 | 
160 | ```Shell
161 | |
162 | ||
163 | &
164 | &&
165 | '
166 | "
167 | ;
168 | '"
169 | ```
170 | 
171 | #### Injection Targets
172 | 
173 | requests that include user input.examples:
174 | - PUT videos by id
175 | - GET videos by id
176 | - POST change-email
177 | - POST verify-email-token
178 | - POST login
179 | - GET location
180 | - POST check-otp
181 | - POST posts
182 | - POST validate-coupon
183 | - POST orders
184 | 
185 | #### WAF Evasion
186 | 
187 | String terminators can be placed in different parts of the request, like the path or POST body, to attempt to bypass any restrictions in place.
188 | 
189 | Here is a list of potential string terminators you can use:
190 | ```
191 | %00
192 | 0x00
193 | //
194 | ;
195 | %
196 | !
197 | ?
198 | []
199 | %5B%5D
200 | %09
201 | %0a
202 | %0b
203 | %0c
204 | %0e
205 | ```
206 | 
207 | - **Case Switching**:
208 |   - Sometimes API security controls are pretty easy to beat. If a security control is built around the literal spelling and case of the components within a request, then case switching can be an effective technique to bypass the controls.
209 | - Encoding Payloads
210 | 
211 | Awesome-WAF GitHub repo
212 | 
213 | https://github.com/0xInfection/Awesome-WAF#known-bypasses
214 | 
215 | 
216 | 
217 | 
218 | 
219 | 
220 | 
221 | 
222 | <br>
223 | 
224 | ---
225 | <!-- GitAds-Verify: P9VOXRFWU1X3DLBYNTQKCYBLJES1OUWV -->
226 | ## GitAds Sponsored
227 | [![Sponsored by GitAds](https://gitads.dev/v1/ad-serve?source=aftab700/api-penetration-testing@github)](https://gitads.dev/v1/ad-track?source=aftab700/api-penetration-testing@github)
228 | 
229 | 


--------------------------------------------------------------------------------