├── .github ├── FUNDING.yml └── workflows │ └── gh-pages.yml ├── .gitignore ├── .gitmodules ├── LICENSE ├── MindAPI.md ├── README.md ├── Resized_Company_Logo_Here_115x115.png ├── Sponsorship.md ├── docs ├── .nojekyll ├── config.toml ├── content │ ├── _index.md │ ├── about.md │ ├── play │ │ └── _index.md │ └── references.md ├── layouts │ ├── index.html │ ├── partials │ │ └── header.html │ └── section │ │ └── play.html └── static │ ├── css │ └── custom.css │ ├── js │ └── mindmap.js │ └── mindapi.png ├── logo MindAPI_git.jpg ├── mindapi_cover.png └── mindapi_play.gif /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | ko_fi: mindapi 2 | -------------------------------------------------------------------------------- /.github/workflows/gh-pages.yml: -------------------------------------------------------------------------------- 1 | name: github pages 2 | 3 | on: 4 | push: 5 | branches: 6 | - main # Set a branch to deploy 7 | 8 | jobs: 9 | deploy: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v2 13 | with: 14 | submodules: true # Fetch Hugo themes (true OR recursive) 15 | fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod 16 | 17 | - name: Setup Hugo 18 | uses: peaceiris/actions-hugo@v2 19 | with: 20 | hugo-version: 'latest' 21 | # extended: true 22 | 23 | - name: Build 24 | run: cd docs; hugo --minify 25 | 26 | - name: Deploy 27 | uses: peaceiris/actions-gh-pages@v3 28 | with: 29 | github_token: ${{ secrets.GITHUB_TOKEN }} 30 | publish_dir: ./docs/public 31 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | docs/public 2 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "docs/src/themes/minimal"] 2 | path = docs/themes/minimal 3 | url = https://github.com/calintat/minimal/ 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /MindAPI.md: -------------------------------------------------------------------------------- 1 | # MindAPI 2 | 3 | ## Reconnaissance 4 | 5 | ### Identify architecture 6 | 7 | #### Architecture 8 | - REST APIs 9 | - RESTful 10 | - URL structure 11 | - Often use resource-oriented URLs such as: `/api/v1/product/1234` 12 | - Response structure 13 | - Often in JSON or XML format 14 | - Consistent and hierarchical structure 15 | - OData 16 | - A metadata document is usually provided at `/odata/$metadata` 17 | - Specific query options present on the URL: `/odata/Products?$filter=Price&$orderby=desc` 18 | - Response often includes annotations `@odata.context` or `@odata.metadata` 19 | - Typically format is JSON 20 | - Usually the response `Content-Type` includes the string `odata`: `application/json;odata.metadata=full` 21 | - 22 | - GraphQL 23 | - Response structure 24 | - If there an issue with the query, an `errors` object is included in the response 25 | - Errors like `Cannot query field` or `Field not found` is usually indicative of a GraphQL API 26 | - If the response is successful the response will often contain a `data` field which includes the actual query results 27 | - Specific fields 28 | - Response may include `__typename` which is used to identify the type of an object 29 | - SOAP 30 | - Transfered data in XML format 31 | - XML-RPC 32 | - Transfered data in simpler XML format `David` 33 | - JSON-RPC 34 | - Transfered data similar to XML-RPC but in JSON format `{"users":[{"firstName":"David"}]` 35 | - gRPC-Protobuf 36 | - Identify `grpc` 37 | - Accept request header 38 | - request header 39 | - Access-control-expose-headers in the response header 40 | - gRPC messages are encoded using Protobuf, which is binary 41 | - Webhooks 42 | - Event-driven APIs that send information or perform a specific function in response to a trigger (e.g. time of the day, clicking a button, receiving a form submission) 43 | - Identify 44 | - Search for `webhooks` or `event subscriptions` on the documentation 45 | - Find a reference on how to register a callback URL 46 | - Is there a list of events types that can trigger a webhook? 47 | 48 | #### Documentation 49 | - 50 | - 51 | - 52 | - 53 | - 54 | - 55 | - 56 | - 57 | 58 | ### Check for documentation 59 | 60 | #### Automatic 61 | 62 | ##### Swagger 63 | - 64 | - `/openapi.json` 65 | 66 | ##### OData 67 | - `/$metadata` 68 | 69 | ##### WADL 70 | - `/application.wadl` 71 | - `/application.wadl?detail=true` 72 | - `/api/application.wadl` 73 | 74 | ##### WSDL 75 | - ?wsdl or ?singleWsdl 76 | - [wsdl-wizard](https://github.com/portswigger/wsdl-wizard) 77 | - [SoapUI](https://www.soapui.org/) 78 | - [Wsdler](https://github.com/NetSPI/Wsdler) 79 | - `/_vti_bin/lists.asmx?WSDL` 80 | 81 | ##### GraphQL 82 | - 83 | - 84 | 85 | #### Manual 86 | - site:target.tld intitle:api | developer 87 | 88 | ### Search for APIs 89 | 90 | #### Traffic Analysis 91 | - REST 92 | - [Burp CE](https://portswigger.net/burp/communitydownload) 93 | - [ZAP](https://www.zaproxy.org/) 94 | - [mitmproxy](https://mitmproxy.org/) 95 | - OData 96 | - [Burp CE](https://portswigger.net/burp/communitydownload) 97 | - [ZAP](https://www.zaproxy.org/) 98 | - [mitmproxy](https://mitmproxy.org/) 99 | - GraphQL 100 | - [Burp CE](https://portswigger.net/burp/communitydownload) 101 | - [ZAP](https://www.zaproxy.org/) 102 | - SOAP 103 | - [Burp CE](https://portswigger.net/burp/communitydownload) 104 | - XML-RPC 105 | - [Burp CE](https://portswigger.net/burp/communitydownload) 106 | - [mitmproxy](https://mitmproxy.org/) 107 | - JSON-RPC 108 | - [Burp CE](https://portswigger.net/burp/communitydownload) 109 | - [mitmproxy](https://mitmproxy.org/) 110 | - gRPC-Protobuf 111 | - [mitmproxy](https://mitmproxy.org/) 112 | - [Wireshark](https://www.wireshark.org/) 113 | - `echo HEX_STREAM | xxd -r -p | protoc --decode_raw` 114 | - [protoc](https://google.github.io/proto-lens/installing-protoc.html) 115 | - [Wireshark Protobuf Dissector](https://github.com/128technology/protobuf_dissector) 116 | - [gRPC UI](https://github.com/fullstorydev/grpcui) 117 | - [ZAP - gRPC Support](https://www.zaproxy.org/docs/desktop/addons/grpc-support/) 118 | 119 | #### Android apps 120 | - [apkleaks](https://github.com/dwisiswant0/apkleaks) 121 | - [APKEnum](https://github.com/shivsahni/APKEnum) 122 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 123 | 124 | #### Wayback Machine 125 | - 126 | - [waybackurls](https://github.com/tomnomnom/waybackurls) 127 | - [gau](https://github.com/lc/gau) 128 | - [waymore](https://github.com/xnl-h4ck3r/waymore) 129 | 130 | #### Path Manipulation 131 | - /api/v1/ 132 | - /api/v2/ 133 | - /api/v3/ 134 | - /api/ 135 | - /api/private 136 | - /api/partner 137 | - /api/test 138 | - api.target.com/v1 139 | - api.target.com/v2 140 | - api.target.com/v3 141 | 142 | #### Key/Token identification/Testing 143 | 144 | - [Api-Guesser](https://api-guesser.netlify.app/) 145 | - [Keyhacks](https://github.com/streaak/keyhacks) 146 | - [all-about-apikey](https://github.com/daffainfo/all-about-apikey) 147 | 148 | #### Dorks 149 | 150 | ##### Google 151 | - `site:target.tld inurl:api` 152 | - `intitle:"index of" "api.yaml" site:target.tld` 153 | - REST 154 | - `site:target.tld inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3` 155 | - GraphQL 156 | - `site:target.tld inurl:graphql` 157 | - WADL 158 | - `inurl:/application.wadl` 159 | - `user filetype:wadl` 160 | - `ext:wadl` 161 | - WSDL 162 | - `user filetype:wsdl` 163 | - `ext:wsdl` 164 | - Odata 165 | - `inurl:/%24metadata` 166 | - Webhooks 167 | - `inurl:docs webhook` 168 | 169 | ##### Github 170 | - 171 | - WADL 172 | - 173 | - WSDL 174 | - 175 | 176 | #### Secrets 177 | - `intitle:"index of" intext:"apikey.txt" site:target.tld` 178 | - `allintext:"API_SECRET*" ext:env | ext:yml site:target.tld` 179 | - [truffleHog](https://github.com/dxa4481/truffleHog) 180 | - [shhgit](https://github.com/eth0izzle/shhgit) 181 | - [PostLeaks](https://github.com/cosad3s/postleaks?tab=readme-ov-file) 182 | - [Porch Pirate](https://github.com/MandConsultingGroup/porch-pirate) 183 | - [js-snitch](https://github.com/vavkamil/js-snitch) 184 | 185 | #### API Directories 186 | 187 | - [API list](https://apilist.fun/) 188 | - [API Harmony](https://apiharmony-open.mybluemix.net/public) 189 | - [ProgrammableWeb](https://www.programmableweb.com/) 190 | - [RapidAPI Hub](https://rapidapi.com/hub) 191 | - [APIs.io](http://apis.io/) 192 | - [SwaggerHub](https://app.swaggerhub.com/search) 193 | - [APIs.guru](https://apis.guru/) 194 | - [Postman Public API Network](https://www.postman.com/explore/apis) 195 | - [Any API](https://any-api.com/) 196 | - [SmartAPI Registry](https://smart-api.info/registry) 197 | - [API Stack](https://www.apistack.io/) 198 | - [Public APIs](https://public-apis.xyz/) 199 | 200 | ### Enumerate endpoints / methods 201 | 202 | #### Endpoints 203 | 204 | ##### GraphQL 205 | - 206 | 207 | ##### Swagger 208 | - 209 | 210 | ##### Other 211 | - 212 | - 213 | - 214 | 215 | ##### WADL 216 | - 217 | 218 | #### Tools 219 | 220 | ##### ffuf 221 | - `ffuf -w wordlists/WORDLIST -u https://TARGET.TLD/FUZZ` 222 | - 223 | 224 | ##### Amass 225 | - `amass enum -active -d TARGET.TLD -config /root/amass/config.ini` 226 | - 227 | 228 | ##### nuclei 229 | - `nuclei -target TARGET.TLD -t exposures/apis/` 230 | - 231 | 232 | ##### Jaeles 233 | - `jaeles scan -s /jaeles-signatures/sensitive/swagger-ui-probing.yaml -u TARGET.TLD` 234 | - 235 | 236 | ##### Arjun 237 | - `arjun -u https://api.TARGET.TLD/endpoint` 238 | - 239 | 240 | ##### ParamSpider 241 | - `python3 paramspider.py --domain TARGET.TLD` 242 | - 243 | 244 | ##### param-miner 245 | - 246 | 247 | ##### TnT-Fuzzer 248 | - `tntfuzzer --url https://TARGET.TLD/v2/swagger.json --iterations 100 --log_all` 249 | - 250 | 251 | ##### Kiterunner 252 | - `kr scan TARGET.TLD -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34` 253 | - 254 | 255 | ##### graphw00f 256 | - `python3 main.py -f -d -t http://localhost:5000` 257 | - 258 | 259 | ##### clairvoyance 260 | - `python3 -m clairvoyance -vv -o schema.json -w wordlist.txt https://api-example/graphql` 261 | - 262 | 263 | ##### json2paths 264 | - `j2p -p http://example.com/+burp.xml` 265 | - 266 | 267 | ##### feroxbuster 268 | - 269 | 270 | ##### wfuzz 271 | - `wfuzz -z file,/usr/share/wordlists/api_list.txt https://targetname.com/FUZZ` 272 | - 273 | 274 | ##### ReconAIzer 275 | - 276 | 277 | ##### JS Miner 278 | - [Detecting API endpoints and source code with JS Miner](https://danaepp.com/detecting-api-endpoints-and-source-code-with-js-miner) 279 | - 280 | 281 | ##### GoBuster 282 | - `gobuster vhost -k --append-domain -u TARGET.TLD -w wordlist.txt` 283 | - 284 | 285 | ##### katana 286 | - `cat subdomains_list.httpx | katana -mdc 'contains(endpoint, "api")' -o katana_api_output` 287 | - 288 | 289 | ##### Sasori 290 | - `sasori start -c config.json -o sasori_output.txt` 291 | - 292 | 293 | ### Supported Content Types 294 | 295 | - Play with request URL 296 | - Requested resource extension e.g. replacing `.json` by `.xml` 297 | - Query string e.g. replacing `?json` by `?xml` or `?format=json` by `?format=xml` 298 | - Play with `` request header and payload 299 | - Without ``, submit either `json`, `xml`, ... 300 | - Changing `Content-Type` and payload accordingly 301 | 302 | ### Data visualization 303 | - [JSON Crack](https://jsoncrack.com/editor) 304 | 305 | ## Testing 306 | 307 | ### Broken Object Level Authorization 308 | 309 | #### Endpoint receives an ID? 310 | 311 | ##### Understand the pattern 312 | - Sequential 313 | - Encoded 314 | - UUID (aka GUID) 315 | - Composite IDs 316 | - Hashed 317 | - Randomly Generated Strings 318 | - Temporal 319 | 320 | ##### Tamper 321 | 322 | ###### Change 323 | - Next/Previous value 324 | - Compute/Predict (e.g. UUIDv1) 325 | - Data Type 326 | - Is it a number? Change it to a string 327 | - Is it a string? Change it to a number 328 | - Method 329 | - GET to POST 330 | - GET to PUT 331 | - GET to PATCH 332 | - Base64 encoded? 333 | - Decoded it, modify it, encode it again 334 | 335 | ###### Duplicate 336 | - ?id=1&id=2 337 | 338 | ###### Add as an array 339 | - ?id[]=1&id[]=2 340 | 341 | ###### Wildcard 342 | - GET /users/id -> GET /users/* 343 | 344 | ###### Cross-deployments IDs 345 | - Identify other deployments (hosts) of your target API 346 | - Enumerate resources IDs (often non- numerical/sequential ones) 347 | - Test those IDs on your target API host 348 | 349 | #### Check the response 350 | 351 | #### Tools 352 | - REST APIs 353 | - [Astra](https://github.com/flipkart-incubator/Astra) 354 | - [apidor](https://github.com/bncrypted/apidor) 355 | - [AuthMatrix](https://github.com/SecurityInnovation/AuthMatrix) 356 | - [Autorize](https://github.com/PortSwigger/autorize) 357 | - [Auth Analyzer](https://github.com/portswigger/auth-analyzer) 358 | - [Susanoo](https://github.com/ant4g0nist/Susanoo) 359 | - [OFFAT](https://github.com/OWASP/OFFAT/) 360 | - [sj](https://github.com/BishopFox/sj) 361 | - GraphQL 362 | - [InQL](https://github.com/doyensec/inql) 363 | - [graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum) 364 | - [AutoGraphQL](https://graphql-dashboard.herokuapp.com/) 365 | - gRPC-protobuf 366 | - [ProtoFuzz](https://github.com/trailofbits/protofuzz) 367 | - UUIDs 368 | - [guid_reaper.py](https://gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18) ([read more](https://danaepp.com/attacking-predictable-guids-when-hacking-apis)) 369 | 370 | ### Broken Authentication 371 | 372 | #### Test 373 | 374 | ##### URL sensitive data 375 | - Passwords 376 | - Tokens 377 | 378 | ##### Brute force attacks 379 | - Login 380 | - Forget Password 381 | - Forget Username 382 | 383 | ##### Authenticity of tokens 384 | 385 | ##### Password 386 | 387 | ###### Strength 388 | - Changing Password 389 | - Registration 390 | 391 | ###### Type 392 | - Plain text 393 | - Weak encryption 394 | - Weak hash algorithm 395 | 396 | ###### API Keys 397 | - Predictable 398 | - Weak hash algorithm 399 | 400 | #### Types of Authentication 401 | 402 | ##### JWT 403 | 404 | ###### Multiple JWT test cases 405 | 406 | - jwt_tool 407 | - `python3 jwt_tool.py -t https://api.example.com/api/working_endpoint -rh "Content-Type: application/json" -rh "Authorization: Bearer [JWT]" -M at` 408 | - 409 | 410 | ###### Test JWT secret brute-forcing 411 | - jwt_tool 412 | - `python3 jwt_tool.py -C -d ` 413 | - 414 | - jwt_cracker 415 | - `jwt-cracker ` 416 | - 417 | - jwtcat 418 | - `python jwcat.py brute-force ` 419 | - `python jwcat.py wordlist -w ` 420 | - 421 | - [JWT Heartbreaker](https://github.com/wallarm/jwt-heartbreaker) 422 | - gojwtcrack 423 | - `cat rockyou.txt | ./gojwtcrack -t mytoken.txt` 424 | - 425 | 426 | ###### Abusing JWT Public Keys Without knowing the Public Key 427 | - [rsa_sig2n](https://github.com/silentsignal/rsa_sign2n) 428 | 429 | ###### Test if algorithm could be changed 430 | - Change algorithm to None 431 | - jwt_tool 432 | - `python3 jwt_tool.py -X a` 433 | - 434 | - jwtcat 435 | - `python jwcat.py vulnerable ` 436 | - 437 | - Change algorithm from RS256 to HS256 438 | - jtw_tool 439 | - `python3 jwt_tool.py -S hs256 -k public.pem` 440 | - 441 | - jwtcat 442 | - `python jwcat.py vulnerable ` 443 | - 444 | - [jwt.io](https://jwt.io/#debugger-io) 445 | - [JSON Web Token Attacker](https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61) 446 | 447 | ###### Test if signature is being validated 448 | - jwt_tool 449 | - `python3 jwt_tool.py -I -pc -pv ` 450 | - 451 | - jtwXploiter 452 | - `jwtxpl -a hs256 -p : --unverified` 453 | - 454 | 455 | ###### Test token expiration time (TTL, RTTL) 456 | 457 | ###### Test if sensitive data is in the JWT 458 | - [jwt.io](https://jwt.io/#debugger-io) 459 | 460 | ###### Check for Injection in "kid" element 461 | - jwt_tool 462 | - `python3 jwt_tool.py -I -hc kid -hv "../../dev/null" -S hs256 -p ""` 463 | - 464 | - jwtXploiter 465 | - `jwtxpl -a hs256 -p : --inject-kid "../../dev/null"` 466 | - 467 | 468 | ###### Check for time constant verification for HMAC 469 | 470 | ###### Check that keys and secrets are different between ENV 471 | 472 | ##### OAuth 473 | - Test redirect_uri 474 | - Open redirects 475 | - Common issues 476 | - `?redirect_uri=https://atttacker.com` 477 | - `?redirect_uri=https://ATTACKER.TARGET.TLD` 478 | - `?redirect_uri=https://ALLOWED_HOST.com/callback?redirectUrl=https://attacker.com` 479 | - `?redirect_uri=https://TARGET.TLD.attacker.com` 480 | - `?redirect_uri=https://TARGET.TLD%252eattacker.com` 481 | - `?redirect_uri=https://TARGET.TLD//attacker.com/` 482 | - Fuzz 483 | - `?redirect_uri=https://TARGET.TLD§FUZZ§` 484 | - `?redirect_uri=https://§FUZZ§TARGET.TLD` 485 | - [URL validation bypass cheat sheet](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) 486 | - XSS 487 | - Test the existence of response_type=token 488 | - Testing state 489 | - Missing state parameter? 490 | - CSRF 491 | - Generate a valid `authorization_code` and don't use it 492 | - Send the crafted CSRF page to TARGET 493 | - Predictable state parameter? 494 | - Is state parameter being verified? 495 | - If you revocate access, will code be also revocated? 496 | - Credential leakage 497 | - Check the Referer header 498 | - Check the browser history 499 | 500 | ##### Basic Auth 501 | 502 | ### Excessive Data Exposure 503 | 504 | #### Check if the API returns full data objects from database with sensitive data 505 | - [apicheck](https://github.com/BBVA/apicheck) 506 | - [OFFAT](https://github.com/OWASP/OFFAT/) 507 | 508 | #### Compare client data with the API response to check if the filtering is done by client side 509 | 510 | #### Sniff the traffic to check for sensitive data returned by the API 511 | - [Burp CE](https://portswigger.net/burp/communitydownload) 512 | - [ZAP](https://www.zaproxy.org/) 513 | - [mitmproxy](https://mitmproxy.org/) 514 | - [Wireshark](https://www.wireshark.org/) 515 | 516 | ### Lack of Resources & Rate Limiting 517 | 518 | #### Execution timeouts 519 | - [Regexploit](https://github.com/doyensec/regexploit) 520 | 521 | #### Test brute-force attacks 522 | 523 | #### Max allocable memory 524 | 525 | #### Number of file descriptors 526 | 527 | #### Number of processes 528 | - [racepwn](https://github.com/racepwn/racepwn) 529 | - [Race The Web](https://github.com/TheHackerDev/race-the-web) 530 | 531 | #### Request payload size (e.g. uploads) 532 | 533 | #### Number of requests per client/resource 534 | - [Astra](https://github.com/flipkart-incubator/Astra) 535 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 536 | 537 | #### Number of records per page to return in a single request response 538 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 539 | 540 | ### Broken Function Level Authorization 541 | - Can a regular user access administrative endpoints? (MindAPI recon can help you here) 542 | - Testing different HTTP methods (GET, POST, PUT, DELETE, PATCH) will allow level escalation? 543 | - [OFFAT](https://github.com/OWASP/OFFAT/) 544 | - Enumerate/Bruteforce endpoints for getting unauthorized requests (MindAPI recon can help you here) 545 | 546 | ### Mass Assignment 547 | 548 | #### Enumerate object properties 549 | 550 | - API documentation (Reconnaissance) 551 | - Inspect available API clients' network traffic 552 | - Desktop 553 | - Mobile 554 | - Web 555 | - Exercise data retrieval endpoints 556 | - watch-out for `?include=user.addresses,user.cards`-like parameters 557 | - Uncover hidden properties 558 | - Guessing, based on API context 559 | - Reverse engineering available API clients 560 | - Fuzzing 561 | - GraphQL 562 | - [ShapeShifter](https://github.com/szski/shapeshifter) ([demo](https://www.youtube.com/watch?v=NPDp7GHmMa0&t=2580)) 563 | 564 | #### Craft request payloads 565 | 566 | - Include augmented objects 567 | - One additional property at a time 568 | - Possible combinations of properties 569 | - All enumerated properties at once 570 | - Vary properties data types/values 571 | - Number, String, Array, Object 572 | - State values: `to-do` -> `in-progress` -> `done` (keep in mind possible state transitions) 573 | - Test different operation types 574 | - Create 575 | - Update 576 | 577 | ### Security Misconfiguration 578 | 579 | #### The latest security patches are missing, or the systems are out of date. 580 | 581 | #### Can you use other HTTP verbs? 582 | 583 | #### Test if Transport Layer Security (TLS) is missing 584 | - [testssl](https://testssl.sh/) 585 | 586 | #### Test for security headers 587 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 588 | - [OWASP ZAP](https://www.zaproxy.org/) 589 | 590 | #### CORS is well configured? 591 | - [Astra](https://github.com/flipkart-incubator/Astra) 592 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 593 | - Test Same Origin Policy (SOP): Modify the value of the Origin request header to reflect a different or seemingly untrusted website, and verify if the request is successfully processed 594 | 595 | #### Force an error to see if any sensitive information is exposed 596 | 597 | #### GraphQL 598 | 599 | - [Introspection Query and/or GraphiQL is enabled](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#introspection-graphiql) 600 | - [BatchQL](https://github.com/assetnote/batchql) 601 | - [graphql-cop](https://github.com/dolevf/graphql-cop) 602 | - GraphQL server provides fields name hints 603 | - [graphql-cop](https://github.com/dolevf/graphql-cop) 604 | - [Query batching is enabled without limit](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#batching-attacks) 605 | - [BatchQL](https://github.com/assetnote/batchql) 606 | - [graphql-cop](https://github.com/dolevf/graphql-cop) 607 | - [Unlimited Depth and/or Amount](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#query-limiting-depth-amount) 608 | 609 | ### Injection 610 | 611 | #### Test if user input is validated, filtered, or sanitized by the API 612 | - REST APIs 613 | - [Astra](https://github.com/flipkart-incubator/Astra) 614 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 615 | - [TnT-Fuzzer](https://github.com/Teebytes/TnT-Fuzzer) 616 | - [APIFuzzer](https://github.com/KissPeter/APIFuzzer) 617 | - [Susanoo](https://github.com/ant4g0nist/Susanoo) 618 | - [REcollapse](https://github.com/0xacb/recollapse) 619 | - [OFFAT](https://github.com/OWASP/OFFAT/) 620 | - GraphQL 621 | - [GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) 622 | - [graphql-cop](https://github.com/dolevf/graphql-cop) 623 | - [REcollapse](https://github.com/0xacb/recollapse) 624 | - [CrackQL](https://github.com/nicholasaleks/CrackQL) 625 | - gRPC-protobuf 626 | - [ProtoFuzz](https://github.com/trailofbits/protofuzz) 627 | 628 | #### Test if client data is used or concat into DB queries, OS commands, etc 629 | - REST APIs 630 | - [Astra](https://github.com/flipkart-incubator/Astra) 631 | - [API Fuzzer](https://github.com/Fuzzapi/API-fuzzer) 632 | - [TnT-Fuzzer](https://github.com/Teebytes/TnT-Fuzzer) 633 | - [APIFuzzer](https://github.com/KissPeter/APIFuzzer) 634 | - [Susanoo](https://github.com/ant4g0nist/Susanoo) 635 | - [OFFAT](https://github.com/OWASP/OFFAT/) 636 | - GraphQL 637 | - [GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) 638 | - gRPC-protobuf 639 | - [ProtoFuzz](https://github.com/trailofbits/protofuzz) 640 | 641 | #### Check if incoming data from external systems is validated, filtered, or sanitized by the API 642 | 643 | ### Improper Assets Management 644 | - Check for the API documentation (MindAPI recon can help you here) 645 | - REST APIs 646 | - `oasdiff diff openapi-test1.yaml openapi-test5.yaml -f text` 647 | - 648 | - 649 | - [Detecting new API endpoints with oasdiff](https://danaepp.com/detecting-new-api-endpoints-with-oasdiff) 650 | - Hosts inventory is missing or outdated. 651 | - Integrated services inventory, either first- or third-party, is missing or outdated. 652 | - Old or previous API versions are running unpatched. 653 | - The aspects of the API (e.g. name, purpose, owner, description, authentication, endpoints, versioning, redirects, errors, parameters, rate-limiting, request and response formats, etc) are missing or outdated. 654 | - If the API documentation is exposed to the internet, implement an access control mechanism (e.g. login portal) to ensure that only authorized users access the OpenAPI specification or even to the documentation as a whole. 655 | - If your API shares data with a third-party or you are consuming a third-party API, make sure to include it in the inventory. 656 | 657 | ### API Testing tools 658 | - [Postman](https://www.postman.com/downloads/) 659 | - [Bruno](https://www.usebruno.com/downloads) 660 | - [Insomnia](https://insomnia.rest/products/insomnia) 661 | - [HTTPie](https://httpie.io) 662 | - [Hoppscotch](https://hoppscotch.io/) 663 | - [BurpSuite](https://portswigger.net/burp/communitydownload) 664 | - [API Tester](https://apitester.org/) 665 | - [Scalar](https://scalar.com/) 666 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Forks][forks-shield]][forks-url] 2 | [![Stargazers][stars-shield]][stars-url] 3 | [![Issues][issues-shield]][issues-url] 4 | 5 | 6 |
7 |

8 | 9 | Logo 10 | 11 |
12 | 13 |
14 |

15 | Bringing order to API hacking chaos! 16 |
17 | View Online 18 | · 19 | Report Bug 20 | · 21 | Request Feature 22 | · 23 | Sponsorship 24 |

25 |

26 | 27 |
28 | Table of Contents 29 |
    30 |
  1. 31 | About The Project 32 | 35 |
    2. 36 |
  2. Roadmap
    3. 37 |
  3. Contributing
    4. 38 |
  4. Sponsorship
    5. 39 |
  5. License
    6. 40 |
  6. Contact
    7. 41 |
  7. Acknowledgements
    8. 42 |
43 |
44 | 45 | ## About The Project 46 | 47 | [![Product Name Screen Shot][product-screenshot]](https://dsopas.github.io/MindAPI/) 48 | 49 | I'm a huge fan of mindmaps! 🌟 They're my go-to for keeping my thoughts organized whether I'm deep in security research or bouncing ideas around with my colleagues. Inspired by this, I wanted to share the love with the community, so I created MindAPI. 50 | 51 | In today's world, APIs are the backbone of pretty much every modern app out there. So, I thought, why not make something that not only aids the security community in assessing APIs but also keeps my own work neat and tidy? It's the best of both worlds! 52 | 53 | MindAPI it's divided into two sections: 54 | 55 | - Reconnaissance 56 | - Testing (Covers most of [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) and other security resources) 57 | 58 | On both of them you have guidelines, links to open-source tools and documentation that help you on the way. 59 | 60 | ### Built With 61 | 62 | The project was built with the help of: 63 | * [Hugo](https://gohugo.io/) 64 | * [Markmap](https://markmap.js.org/) 65 | 66 | ## Roadmap 67 | 68 | See the [open issues](https://github.com/dsopas/MindAPI/issues) for a list of proposed features (and known issues). 69 | 70 | ## Contributing 71 | 72 | Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are **greatly appreciated**. 73 | 74 | 1. Fork the Project 75 | 2. Commit your Changes (File: **MindAPI.md**) 76 | 3. Push to the Branch 77 | 4. Open a Pull Request 78 | 79 | BUT you can also update the [References](https://dsopas.github.io/MindAPI/references/) page on the site project. 80 | 81 | 1. Fork the Project 82 | 2. Commit your Changes (File: **/docs/content/references.md**) 83 | 3. Push to the Branch 84 | 4. Open a Pull Request 85 | 86 | ## Sponsorship 87 | 88 | 🚀 Join the MindAPI Revolution! 🚀 Dreaming of a world where technology and education collide in the most spectacular way? So are we! 🌈 We’re on a quest to make API security accessible to all, and you can play a pivotal role. Support the MindAPI Scholarship and let’s empower the next generation of tech pioneers together! 💡🎓 [Become a Sponsor](Sponsorship.md) and be a beacon of innovation and education. Let’s create something amazing! 89 | 90 | ## License 91 | 92 | Distributed under the CC0-1.0 License. See `LICENSE` for more information. 93 | 94 | ## Contact 95 | 96 | David Sopas - [@dsopas](https://twitter.com/dsopas) - [DavidSopas.com/Contact](https://www.davidsopas.com/contacts/) 97 | 98 | Project Link: [https://dsopas.github.io/MindAPI/](https://dsopas.github.io/MindAPI/) 99 | 100 | ## Acknowledgements 101 | * Paulo Silva [@pauloasilva_com](https://twitter.com/pauloasilva_com) 102 | 103 | [forks-shield]: https://img.shields.io/github/forks/dsopas/MindAPI?style=for-the-badge 104 | [forks-url]: hhttps://github.com/dsopas/MindAPI/network/members 105 | [stars-shield]: https://img.shields.io/github/stars/dsopas/MindAPI?style=for-the-badge 106 | [stars-url]: https://github.com/dsopas/MindAPI/stargazers 107 | [issues-shield]: https://img.shields.io/github/issues/dsopas/MindAPI?style=for-the-badge 108 | [issues-url]: https://github.com/dsopas/MindAPI/issues 109 | [product-screenshot]: mindapi_play.gif 110 | -------------------------------------------------------------------------------- /Resized_Company_Logo_Here_115x115.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/Resized_Company_Logo_Here_115x115.png -------------------------------------------------------------------------------- /Sponsorship.md: -------------------------------------------------------------------------------- 1 | 🌟 **Become a Sponsor for MindAPI!** 🌟 2 | 3 | Hey there, amazing community! 4 | 5 | We're on a mission to make the world of API security more accessible, educational, and fun with our open-source project, **MindAPI**. But we've got an even bigger dream: We want to empower aspiring tech wizards by launching the **MindAPI Scholarship**. 🎓 6 | 7 | Here's where the magic happens, and **you** can be a part of it: 8 | 9 | ### **Sponsorship Opportunities** 10 | We're inviting kind-hearted organizations to support our mission by becoming a sponsor. Not only will your contribution fuel the innovative minds of tomorrow, but it'll also give your brand some love on our platform. Here's what you get: 11 | 12 | - **Your Logo on MindAPI**: Shine on our repo's main page for a whole trimester. 13 | - **Shoutouts Galore**: We'll tip our hats to you in every tweet and LinkedIn post during the sponsorship period. 14 | - **Exclusive Club**: We're keeping it cozy and exclusive with a maximum of 3 sponsors per trimester. 15 | 16 | ### **The Nitty-Gritty** 17 | - **Target Sponsorship**: $1000 18 | - **Duration**: Your logo and mentions for 3 sweet months. 19 | 20 | ### **Where Your Generosity Goes** 21 | Every penny of your sponsorship will go directly into the **MindAPI Scholarship Fund**, which supports budding tech enthusiasts to attend cutting-edge events and enroll in top-notch API security workshops/courses. 22 | 23 | ### **Why Sponsor?** 24 | Apart from the warm fuzzies of supporting education and innovation, you'll be directly contributing to the growth and diversity of the API security field. Plus, your brand gets to be front and center in a community dedicated to tech excellence. 25 | 26 | ### **Ready to Make a Difference?** 27 | If you're as excited as we are about fostering the next generation of tech talent, let's chat! Reach out to us at [email](mailto:david@noti.bet) to start the conversation. 28 | 29 | Thank you for considering support for MindAPI and the bright futures of tomorrow's tech leaders. Together, we can make a world of difference! 💫 30 | -------------------------------------------------------------------------------- /docs/.nojekyll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/docs/.nojekyll -------------------------------------------------------------------------------- /docs/config.toml: -------------------------------------------------------------------------------- 1 | baseURL = "https://dsopas.github.io/MindAPI/" 2 | languageCode = "en-us" 3 | title = "MindAPI" 4 | theme = "minimal" 5 | googleAnalytics = "" 6 | 7 | [params] 8 | author = "David Sopas" 9 | description = "Bringing order to API hacking chaos" 10 | githubUsername = "dsopas" 11 | accent = "red" 12 | showBorder = true 13 | backgroundColor = "white" 14 | font = "Blinker" # should match the name on Google Fonts! 15 | highlight = true 16 | highlightStyle = "default" 17 | highlightLanguages = ["go", "haskell", "kotlin", "scala", "swift"] 18 | css = [ "css/custom.css" ] 19 | js = [ 20 | "https://cdn.jsdelivr.net/npm/d3@6", 21 | "https://cdn.jsdelivr.net/npm/markmap-lib@0.11.6", 22 | "https://cdn.jsdelivr.net/npm/markmap-view@0.2.6", 23 | "js/mindmap.js" 24 | ] 25 | 26 | [[menu.main]] 27 | url = "/" 28 | name = "Home" 29 | weight = 1 30 | 31 | [[menu.main]] 32 | url = "/about/" 33 | name = "About" 34 | weight = 2 35 | 36 | [[menu.main]] 37 | url = "/references/" 38 | name = "References" 39 | weight = 3 40 | 41 | [[menu.main]] 42 | url = "/play/" 43 | name = "Play" 44 | weight = 4 45 | 46 | [[menu.main]] 47 | url = "#download" 48 | identifier = "download" 49 | name = "Download" 50 | weight = 5 51 | 52 | [[menu.main]] 53 | parent = "download" 54 | identifier = "interactive" 55 | url = "#download-interactive" 56 | name = "Interactive HTML" 57 | 58 | # Social icons to be shown on the right-hand side of the navigation bar. 59 | # The "name" field should match the name of the icon in Font Awesome. 60 | # The list of available icons can be found at http://fontawesome.io/icons. 61 | 62 | [[menu.icon]] 63 | url = "mailto:davidsopas@gmail.com" 64 | name = "fas fa-envelope" 65 | weight = 1 66 | 67 | [[menu.icon]] 68 | url = "https://github.com/dsopas/MindAPI" 69 | name = "fab fa-github" 70 | weight = 2 71 | 72 | [[menu.icon]] 73 | url = "https://twitter.com/dsopas/" 74 | name = "fab fa-twitter" 75 | weight = 3 76 | -------------------------------------------------------------------------------- /docs/content/_index.md: -------------------------------------------------------------------------------- 1 | ![MindAPI mindmap](https://raw.githubusercontent.com/dsopas/MindAPI/main/logo%20MindAPI_git.jpg) 2 | -------------------------------------------------------------------------------- /docs/content/about.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "About MindAPI Project" 3 | description: "" 4 | draft: false 5 | --- 6 | 7 | I love mindmaps. They help keep my methodology when doing security research or 8 | brainstorming with my collegues. With that in mind I decided to spread some love 9 | in the community by creating **MindAPI**. 10 | 11 | Nowadays APIs are part of all modern applications. Creating something that could 12 | help the security community to assess an API and at the same time help me by 13 | keeping my work organized its a win-win. 14 | 15 | MindAPI is a mindmap which combines years of experience in testing API security. 16 | Its divided into two sections: 17 | 18 | - Reconnaissance 19 | - Testing (Follows OWASP API Security Top 10 guidelines and other security 20 | guides) 21 | 22 | On both of them you have guidelines, links to open-source tools and 23 | documentation that help you on the way. 24 | 25 | It's **free**, **open-source** and 26 | [open to contributions](https://github.com/dsopas/MindAPI/pulls) from the 27 | infosec community. 28 | 29 | Hit [Play](https://dsopas.github.io/MindAPI/play/) and Enjoy! 30 | 31 | *David Sopas* - [@dsopas](https://twitter.com/dsopas) 32 | -------------------------------------------------------------------------------- /docs/content/play/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Play with it live 3 | --- -------------------------------------------------------------------------------- /docs/content/references.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: "References" 3 | description: "" 4 | draft: false 5 | --- 6 | Here you can find a variaty of resources to help you out on the API security path. 7 | 8 | ## Talks / Educational Videos / Recorded Webinars 9 | - [OWASP API Security Top 10 by Erez Yalon & Inon Shkedy](https://www.youtube.com/watch?v=Jmyl6GoTaao) 10 | - [Meetups at Checkmarx: An Introduction to API Security](https://www.youtube.com/watch?v=0ei3CdD7Ebk) 11 | - [Meetups at Checkmarx: API Security Concerns (Part II)](https://www.youtube.com/watch?v=wY6q583JWLc) 12 | - [Don’t Worry, Be API: Addressing AppSec’s Newest Challenge](https://www.youtube.com/watch?v=NStTnATSysY) 13 | - [Common API security pitfalls by Philippe De Ryck](https://www.youtube.com/watch?v=YQzU8xEBiPg) 14 | - [API (in)Security TOP 10: Guided tour](https://www.youtube.com/watch?v=_WdDq9miqyo) 15 | - [Top 10 API Bugs (and Where to Find Them)](https://www.youtube.com/watch?v=aQGbYfalRTA) 16 | - [How To Do Recon: API Enumeration](https://www.youtube.com/watch?v=fvcKwUS4PTE) 17 | - [Hunting for bugs in GraphQL APIs (Demo)](https://www.youtube.com/watch?v=viWzbPuGqpo) 18 | - [Finding Your Next Bug: GraphQL](https://www.youtube.com/watch?v=jyjGneKJynk) 19 | - [REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure](https://www.youtube.com/watch?v=NPDp7GHmMa0) 20 | - [Hidden in Plain Site: Disclosing Information via Your APIs](https://www.youtube.com/watch?v=jBi3a-dXsM8) 21 | - [Bad API, hAPI Hackers!](https://www.youtube.com/watch?v=UT7-ZVawdzA) 22 | - [API Security 101](https://www.youtube.com/watch?v=ijalD2NkRFg) 23 | - [JWT Parkour](https://www.youtube.com/watch?v=zWVRHK3ykfo) 24 | - [Finding Your First Bug: Finding Bugs Using APIs](https://www.youtube.com/watch?v=yCUQBc2rY9Y) 25 | - [Live API Hacking Demo](https://www.youtube.com/watch?v=cWSu2Ja65Z4) 26 | - [OAuth, JWT, HMAC, oh my! API security for your enterprise](https://www.youtube.com/watch?v=NtAnyDJhkkg) 27 | - [API Recon with Kiterunner](https://www.youtube.com/watch?v=hNs8fpWfcyU) 28 | - [Offensive GraphQL API Exploitation](https://www.youtube.com/watch?v=eKj8F9bOOvk) 29 | - [Traversing My Way in the Internal Network](https://www.youtube.com/watch?v=f5IEe5r9to8) 30 | - [API Hacking With ChatGPT!](https://www.youtube.com/watch?v=BTlUEWHRldk) 31 | - [Web Apps: APIs’ Nightmare](https://www.youtube.com/watch?v=1PjKr4ZZ6Ww) 32 | - [The Secret Life of APIs: Latest Attack Data Shows What Your APIs Are Doing](https://www.youtube.com/watch?v=ccmQXJcc1co) 33 | - [I’m an API Hacker and Here’s How I Hack Everything from the Military to AI](https://www.youtube.com/watch?v=9kSBsyLqFgY) 34 | - [The Arazzo Specification: A Tapestry for API Workflows.](https://www.youtube.com/watch?v=EQaGHjMIcD8) 35 | - [OWASP API Security Project - Paulo Silva & Erez Yalon](https://www.youtube.com/watch?v=hn4mgTu5izg) 36 | - [2024 Guide: Hacking APIs](https://www.youtube.com/watch?v=k5HZI6CfHw4) 37 | 38 | ## Must read 39 | - [OWASP API Security Project](https://owasp.org/www-project-api-security/) 40 | - [GraphQL Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html) 41 | - [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist) 42 | - [API Security Encyclopedia](https://apisecurity.io/encyclopedia/content/api-security-encyclopedia.htm) 43 | - [31 days of API Security Tips](https://github.com/inonshk/31-days-of-API-Security-Tips) 44 | - [REST-ler: Automatic Intelligent REST API Fuzzing](https://www.microsoft.com/en-us/research/uploads/prod/2018/04/restler.pdf) 45 | - [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards](https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) 46 | - [Hacking JSON Web Tokens (JWTs)](https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a) 47 | - [Methods to Bypass Rate Limit](https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-5185e6c67ecd) 48 | - [Regex For Finding Popular Keys](https://github.com/odomojuli/RegExAPI) 49 | - [Leveraging Exposed WADL XML in Burp Suite](https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/) 50 | - [How Unsecure gRPC Implementations Can Compromise APIs](https://www.trendmicro.com/en_us/research/20/h/how-unsecure-grpc-implementations-can-compromise-apis.html) 51 | - [Pentesting gRPC / Protobuf : Decoding First steps](https://blog.davidvassallo.me/2018/10/17/pentesting-grpc-protobuf-decoding-first-steps/) 52 | - [OAuth 2.0 authentication vulnerabilities](https://portswigger.net/web-security/oauth) 53 | - [Finding Broken Access Controls](https://threat.tevora.com/finding-broken-access-controls/) 54 | - [Contextual Content Discovery: You've forgotten about the API endpoints](https://blog.assetnote.io/2021/04/05/contextual-content-discovery/) 55 | - [JWT Security Cheatsheet](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf) 56 | - [How to exploit GraphQL endpoint: introspection, query, mutations & tools](https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/) 57 | - [OAuth 2.0 Threat Model Pentesting Checklist](https://www.binarybrotherhood.io/oauth2_threat_model.html) 58 | - [API Security 101: Broken User Authentication](https://blog.shiftleft.io/api-security-101-broken-user-authentication-1df2ef3420d8) 59 | - [IDOR Techniques Mindmap](https://www.xmind.net/m/CSKSWZ/) 60 | - [Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion](https://www.tenchisecurity.com/blog/thefaultinourstars) 61 | - [SAML is insecure by design](https://joonas.fi/2021/08/saml-is-insecure-by-design/) 62 | - [How to Hack APIs in 2021](https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021/) 63 | - [Exploiting GraphQL](https://blog.assetnote.io/2021/08/29/exploiting-graphql/) 64 | - [The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready](https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready) 65 | - [Exposed Payment Integration API Keys Imperil Millions of Users’ Transaction Details and PII](https://bevigil.com/blog/exposed-payment-integration-api-keys-imperil-millions-of-users-transaction-details-and-pii/) 66 | - [Move Over Verbose Error Messages, GraphQL APIs are Here ](https://checkmarx.com/blog/move-over-verbose-error-messages-graphql-apis-are-here/) 67 | - [What’s Old Becomes New Again: CSRF Attacks on GraphQL APIs](https://checkmarx.com/blog/whats-old-becomes-new-again-csrf-attacks-on-graphql-apis/) 68 | - [Exploiting GraphQL Query Depth](https://checkmarx.com/blog/exploiting-graphql-query-depth/) 69 | - [Alias and Directive Overloading in GraphQL](https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/) 70 | - [Didn’t Notice Your Rate Limiting: GraphQL Batching Attack](https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-attack/) 71 | - [Best Practices When Deploying Webhooks in Production](https://hookdeck.com/webhooks/guides/best-practices-deploy-webhooks-production) 72 | - [The Arazzo Specification](https://spec.openapis.org/arazzo/latest.html) 73 | 74 | ## Practice 75 | - [Damn Vulnerable GraphQL Application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) 76 | - [Websheep](https://github.com/marmicode/websheep) 77 | - [Pixi](https://github.com/DevSlop/Pixi) 78 | - [API Security in Action](https://github.com/NeilMadden/apisecurityinaction) 79 | - [vAPI](https://github.com/roottusk/vapi) 80 | - [vulnerable OAuth 2.0 applications](https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications) 81 | - [Vulnerable JWT lab](https://github.com/h-a-c/jwt-lab) 82 | - [Vulnerable GraphQL API](https://github.com/CarveSystems/vulnerable-graphql-api) 83 | - [KONTRAs OWASP Top 10 for API](https://application.security/free/owasp-top-10-API) 84 | - [Vulnerable API with Laravel App](https://github.com/InsiderPhD/Generic-University) 85 | - [c{api}tal](https://github.com/Checkmarx/capital) 86 | - [ParaBank](https://github.com/parasoft/parabank) 87 | - [VAmPI](https://github.com/erev0s/VAmPI/) 88 | - [Damn Vulnerable Restaurant](https://github.com/theowni/Damn-Vulnerable-Restaurant-API-Game) 89 | - [Vulnerable REST API - OWASP 2023](https://github.com/bnematzadeh/vulnerable-rest-api) 90 | 91 | ## Writeups 92 | - [Facebook Group Members Disclosure](https://spongebhav.medium.com/facebook-group-members-disclosure-e53eb83df39e) 93 | - [How we could have listened to anyone's call recordings](https://www.pingsafe.ai/blog/how-we-could-have-listened-to-anyones-call-recordings) 94 | - [How I Might Have Hacked Any Microsoft Account](https://thezerohack.com/how-i-might-have-hacked-any-microsoft-account) 95 | - [How we could have tracked anyone's live location using Truecaller's "Guardians" app](https://www.pingsafe.ai/blog/hacking-truecallers-guardian-application-to-track-you) 96 | - [Enumerate internal cached URLs which lead to data exposure](https://ysamm.com/?p=629) 97 | - [All That We Let In: Hacking mHealth Apps and APIs](https://alissaknight.medium.com/all-that-we-let-in-hacking-mhealth-apps-and-apis-part-2-1a55b928ce67) 98 | - [Tour de Peloton: Exposed user data](https://www.pentestpartners.com/security-blog/tour-de-peloton-exposed-user-data/) 99 | - [Smart car chargers. Plug-n-play for hackers?](https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/) 100 | - [XSS Vulnerability Patched in SEOPress Affects 100,000 sites](https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites/) 101 | - [Two account takeover bugs worth $4300](https://blog.usamav.dev/two-account-takeover-bugs-worth-4300-dollar-bounty) 102 | - [Vulnerability in Bumble dating app reveals any user's exact location](https://robertheaton.com/bumble-vulnerability/) 103 | - [This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them](https://infosecwriteups.com/this-is-how-i-was-able-to-see-private-archived-posts-stories-of-users-on-instagram-without-de70ca39165c) 104 | - [Free BrewDog beer with a side order of shareholder PII?](https://www.pentestpartners.com/security-blog/free-brewdog-beer-with-a-side-order-of-shareholder-pii/) 105 | - [Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin](https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/) 106 | - [DPD package sniffing](https://www.pentestpartners.com/security-blog/dpd-package-sniffing/) 107 | - [IDOR vulnerability on invoice and weak password reset leads to account take over](https://medium.com/@damaidec/idor-vulnerability-on-invoice-and-weak-password-reset-leads-to-account-take-over-603b42143a8c) 108 | - [F5 BIG-IP and iControl REST Vulnerabilities and Exposures](https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/) 109 | - [How Spoutible’s Leaky API Spurted out a Deluge of Personal Data](https://www.troyhunt.com/how-spoutibles-leaky-api-spurted-out-a-deluge-of-personal-data/) 110 | - [Forging signed commits on GitHub](https://iter.ca/post/gh-sig-pwn/) 111 | - [crAPI walkthrough using AI](https://zerodayhacker.com/crapi-walkthrough-using-ai/) 112 | - [ParaBank walkthrough](https://zerodayhacker.com/parabank-walkthrough/) 113 | - [c{api}tal walkthrough](https://zerodayhacker.com/capital-walkthrough/) 114 | - [vAPI walkthrough](https://zerodayhacker.com/vapi-walkthrough/) 115 | - [DVGA walkthrough](https://zerodayhacker.com/dvga-walkthrough/) 116 | - [VAmPI walkthrough](https://zerodayhacker.com/vampi-walkthrough/) 117 | - [Zenly Fixes User Data Exposure and Account Takeover Risks](https://checkmarx.com/blog/zenly-fixes-user-data-exposure-and-account-takeover-risks/) 118 | ### BOLA / IDOR 119 | - [Cracking Encrypted Credit Card Numbers Exposed By API](https://infosecwriteups.com/cracking-encrypted-credit-card-numbers-exposed-by-api-977c6f7b996f) 120 | - [What is BOLA? 3-digit bounty from Topcoder](https://infosecwriteups.com/what-is-bola-3-digit-bounty-from-topcoder-a25e7fae0d64) 121 | - [Attacking predictable GUIDs when hacking APIs](https://danaepp.com/attacking-predictable-guids-when-hacking-apis) 122 | ### OAuth 123 | - [Chained Bugs to Leak Victim's Uber's FB Oauth Token](https://hackerone.com/reports/131202) 124 | - [Slack OAuth2 "redirect_uri" Bypass ](https://hackerone.com/reports/2575) 125 | - [Steal OAuth Tokens](https://hackerone.com/reports/131202) 126 | - [OAuth redirect_uri bypass using IDN homograph attack resulting in user's access token leakage](https://hackerone.com/reports/861940) 127 | - [Stealing Users OAUTH Tokens via redirect_uri ](https://hackerone.com/reports/405100) 128 | - [Stealing Users OAuth Tokens through redirect_uri parameter](https://hackerone.com/reports/665651) 129 | ### JWT 130 | - [Predictable JWT secret](https://hackerone.com/reports/896649) 131 | ### Rate Limit 132 | - [OTP brute-force via rate limit bypass](https://bilalabdulmuqeet.medium.com/brute-forcing-otp-via-bypassing-rate-limit-c5ee6b25c2a8) 133 | ### SSRF 134 | - [Server-side Request Forgery on FinTech Platform Enabled Administrative Account Takeover](https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover) 135 | 136 | ## Testing 137 | - [Tavern API Testing](https://tavern.readthedocs.io/en/latest/) 138 | - [REST-Attacker](https://github.com/RUB-NDS/REST-Attacker) 139 | 140 | -------------------------------------------------------------------------------- /docs/layouts/index.html: -------------------------------------------------------------------------------- 1 | {{ partial "header" . }} 2 | 3 |
4 |
5 | {{ with .Site.Params.profilePic }} {{ end }} 6 |
7 |

{{ markdownify .Site.Params.Description }}

8 | {{ with .Content }}
{{ . }}
{{ end }} 9 |
10 |
11 | 12 | {{ partial "footer" . }} 13 | -------------------------------------------------------------------------------- /docs/layouts/partials/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | {{ partial "head-open" . }} 5 | 6 | 7 | {{ .Title }} 8 | {{ if .Site.Params.favicon }} 9 | 10 | {{ end }} 11 | {{ partial "css" . }} {{ partial "js" . }} {{ hugo.Generator }} 12 | {{ with .OutputFormats.Get "RSS" }} 13 | 14 | 15 | {{ end }} 16 | 17 | {{ if .Site.Params.MathJax | default true }} 18 | 19 | {{ end }} 20 | 21 | {{ partial "head-close" . }} 22 | 23 | 24 | 25 | {{ partial "body-open" . }} 26 | 67 | -------------------------------------------------------------------------------- /docs/layouts/section/play.html: -------------------------------------------------------------------------------- 1 | {{ partial "header" . }} 2 | 3 |
4 | 5 | 6 |
7 | 8 | {{ partial "footer" . }} 9 | -------------------------------------------------------------------------------- /docs/static/css/custom.css: -------------------------------------------------------------------------------- 1 | body { 2 | text-align: left; 3 | } 4 | footer { 5 | text-align: center; 6 | } 7 | #mindmap { 8 | width: 100%; 9 | height: 100%; 10 | } 11 | #markmap { 12 | max-width: 100% !important; 13 | width:100% 14 | } 15 | main div.intro { 16 | text-align: center; 17 | } 18 | .homepage-content { 19 | position: relative; 20 | top: -210px; 21 | z-index: -1; 22 | } 23 | -------------------------------------------------------------------------------- /docs/static/js/mindmap.js: -------------------------------------------------------------------------------- 1 | ((win, doc) => { 2 | const mdURL = 'https://raw.githubusercontent.com/dsopas/MindAPI/main/MindAPI.md'; 3 | 4 | async function getMarkdown () { 5 | const res = await fetch(mdURL); 6 | 7 | return await res.text(); 8 | } 9 | 10 | async function render (el) { 11 | const t = new markmap.Transformer, 12 | md = await getMarkdown(), 13 | { root } = t.transform(md); 14 | const elem = doc.getElementById(el); 15 | win.markmap.Markmap.create(el, null, root); 16 | } 17 | 18 | async function downloadInteractiveHTML () { 19 | const t = new markmap.Transformer, 20 | md = await getMarkdown(), 21 | { root, features } = t.transform(md); 22 | 23 | const assets = t.getUsedAssets(features), 24 | html = markmap.fillTemplate(root, assets); 25 | a = doc.createElement('a'); 26 | 27 | a.setAttribute('href', 'data:text/html;utf8,' + encodeURIComponent(html)); 28 | a.setAttribute('download', 'mindapi.html'); 29 | a.click(); 30 | } 31 | 32 | document.addEventListener('DOMContentLoaded', (event) => { 33 | // setup download handlers 34 | doc.getElementById('download-interactive') 35 | .addEventListener('click', downloadInteractiveHTML); 36 | }); 37 | 38 | win.mindapi = { render } 39 | })(window, document); 40 | -------------------------------------------------------------------------------- /docs/static/mindapi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/docs/static/mindapi.png -------------------------------------------------------------------------------- /logo MindAPI_git.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/logo MindAPI_git.jpg -------------------------------------------------------------------------------- /mindapi_cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/mindapi_cover.png -------------------------------------------------------------------------------- /mindapi_play.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dsopas/MindAPI/90338c3e4f00e76917763bb5fe07a8fd7c276c2d/mindapi_play.gif --------------------------------------------------------------------------------