├── Lesson 1
    ├── 1. Introduction.md
    └── 2. Notes detail Index.md
├── Lesson 2
    └── 1. Finding Hidden Endpoints.md
├── Lesson 3
    └── 1-Privilege Escalation Attack.md
├── Lesson 4
    └── sessions.md
├── Lesson 5
    ├── XML Attack.md
    └── test xml scripts.txt
├── README.md
├── _config.yml
├── cors-secret-method.png
├── csrf-testing-methodology.md
└── final-csrf-methodology.png


/Lesson 1/1. Introduction.md:
--------------------------------------------------------------------------------
 1 | # Introductory topics. 
 2 |     ## 1. HTTP Codes (brief).
 3 |     ## 2. Same Origin Policy.
 4 |     ## 3. Introduction to API.
 5 |     ## 4. API Testing TECHNIQUE
 6 |     ## 5. API Authentication methods. (Cookie vs Token).
 7 |     
 8 |     
 9 | ### 1. HTTP Response codes and its meaning
10 | 
11 | 
12 | | HTTP Codes              | Meaning                        |
13 | | ----------------------- |:------------------------------:|
14 | | 1xx  Inforamtion        | Protocol informatinal message  |
15 | | 2xx  Success            | Request was successfull        |
16 | | 3xx  Redirection        | Redirection                    |
17 | | 4xx  Client-Side Error  | Error at Client-side           |
18 | | 5xx  Server-Side Error  | Error at Server-side           |
19 | 
20 | ### 2. Same Origin Policy
21 | 
22 |     Security mechanism implemented in browsers.
23 |     One site allowed to read/modify data received from same site but not allowed to read content from another site.
24 |     Exceptions:
25 |     1.	Load scripts from other sites using <script> tag.
26 |     2.	Submit form for one site to another but cannot read data.
27 | 
28 | 
29 | ### 3. Introduction to API
30 | 
31 |     What is API? 
32 |     -> An setting between Client-App and Server-App to exchange data/message.
33 | 
34 |     Where are API used? 
35 |     -> Its used everywhere. E.g. Facebook uses API to fetch data and show on page.
36 | 
37 |     Why API is used?
38 |     -> 1. API separate backend logic and frontend logic. E.g. We can keep changing fronend of a App and still keep using same API to access backend API.
39 |      2. Reuse code. E.g Get users data via API endpoint.
40 |      3. Easy to fix bug. E.g. fix a bug in vulnerable function without changing frontend of App.
41 |      4. Expand services to third-party developers.
42 | 
43 | #### Good Read for API Fundamentals.
44 | > https://medium.com/@cagline/restful-web-services-ddafb8019f2e
45 | 
46 | ### 4. API Testing TECHNIQUE
47 |     Find target URI of the API
48 |     Find out how the API authenticates (Cookie Vs Token)
49 |     Find how resources are modeled.
50 |     
51 | ### 5. API Authentication methods (Cookie vs Token). 
52 | 
53 |     1. Cookie Based.
54 |         In this cookie has required information for authentication.
55 |     
56 |     2. Token Based.
57 |         In this, authentication variable other than cookie is used to identify.
58 |         E.g. Basic Auth, JWT, Access Token, etc..
59 | 


--------------------------------------------------------------------------------
/Lesson 1/2. Notes detail Index.md:
--------------------------------------------------------------------------------
 1 | # Api-Pentesting
 2 | 
 3 | Methodology
 4 | 
 5 | <pre><h3> 1. Find end-points including hidden end-points.</h3>
 6 |     1. Running web-app through proxy.
 7 |     2. Scanning for js files.
 8 |     3. Using different http methods (get, post, delete, put).
 9 |     4. Developer Docs.
10 |     5. Application.wadl
11 |     6. Options and HREF (in response search for href).
12 |     7. Way Back Machine.</pre>
13 | 
14 | <pre><h3> 2. Different attacks on endpoints.</h3>
15 |   <h4> 1. Privilege Escalation.</h4>
16 |       1. Role Based Testing.
17 |         Check number of roles.
18 |   <h4> 2. Privacy Based.</h4>
19 |     2. Privacy Based Testing.
20 |         Try to get info which is not accessible to current user.</pre>
21 |  
22 | <pre><h3> 3. Sessions.</h3>
23 |     1. 4 Tests for cookie/token.</pre>
24 |   
25 | <pre><h3> 4. XML Attacks Cookie/Token based.</h3>
26 |     1. Testing methodology for XXE.
27 |         1. Viewable and Unviewable XXE Testing methods.
28 |     2. Simple Way to confirm XXE.
29 |     3. How it is patched
30 |     4. How it can be bypassed
31 | </pre>
32 |     
33 | 


--------------------------------------------------------------------------------
/Lesson 2/1. Finding Hidden Endpoints.md:
--------------------------------------------------------------------------------
 1 | # Various methods to find API Endpoints.
 2 | 
 3 | <pre>1. Running web-app through proxy.</pre>
 4 | <pre>2. Scanning for js files.</pre>
 5 | <pre>3. Using different http methods (get, post, delete, put).</pre>
 6 | <pre>4. Developer Docs.</pre>
 7 | <pre>5. Application.wadl</pre>
 8 | <pre>6. Options and HREF (in response search for href).</pre>
 9 | <pre>7. Way Back Machine.</pre>
10 | 
11 |  ### 1. Running Through proxy
12 |  <pre><b>Note: Browse web app to get more api endpoints.</b></pre>
13 | <pre> 1. Simple method is to check <b>Network</b> Tab in developer tools and filter XHR request.
14 |  2. In burp proxy, select history and check for requests whose response is in either <b>XML</b> or <b>JSON</b> in MIME type.
15 |  3. A Good link on this topic. 
16 |   <a>-https://support.portswigger.net/customer/portal/articles/2898121-using-burp-to-enumerate-a-rest-api</a>
17 |   <a>-https://support.portswigger.net/customer/portal/articles/2898216-using-burp-to-test-a-rest-api</a></pre>
18 |  Note all endpoints in excel sheet.</br>
19 |  E.g. 
20 |  
21 | 
22 | | Resource     | Method  | Endpoint                         | Params                   | Other Notes                     |
23 | |--------------|---------|----------------------------------|--------------------------|---------------------------------|
24 | | /reset       | GET     | https://api.bank.xyz/reset       | ?id=1253&pass=*****      | Token not used                  |
25 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
26 | | /login       | POST    | https://api.bank.xyz/login       | username=Test&Pass=***** | No CSRF Token                   |
27 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
28 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
29 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
30 | | /user        | POST    | https://api.bank.xyz/user        | id=1253                  | Returns token in response       |
31 | | /user/credit | PUT     | https://api.bank.xyz/user/credit | id=1253&credit=100000    | credits 10000                   |
32 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
33 | |              |         | Keep it blank.                   | We might find additional | endpoints                       |
34 |  
35 |  ### 2. Scanning js files
36 |  <pre>Find additional endpoints which got missed during scanning through proxy and add it to excel sheet.
37 |  JS files might have hidden endpoints which are not accessible to current role.</pre>
38 |  
39 |  <pre>Methodology:
40 |  1. Find all js files using burp.
41 |  2. Find keywords which are addressable resources, found while running through proxy.
42 |  3. Another method to find api in js files is to get js files,
43 |     then use js beautifier and search for HTTP methods in that files.
44 |     E.g. <b>GET</b> or <b>POST</b>.
45 |  4. Also search for <b>$http.</b> or <b>XMLHttpRequest</b> in js files. 
46 |     The XMLHttpRequest is just additonal task, but might give addtional end points.</pre>      
47 |  
48 |  ### 3. Using different http methods (get, post, delete, put)
49 |  <pre>It is important to know how many http methods are actually implemented and out of which how may
50 |  are documented. This might uncover vulnerability. It is a kind of low hanging fruit.</pre>
51 |  <pre>1. Fire options method on each endpoint, found earlier. It does'nt matter even if returns 404.
52 |    We might not have access to those endpoints but those endpoints exists.
53 | 2. Find all allowed request methods.
54 | 3. Find implemented request methods on endpoints.</pre>
55 | 
56 | <pre> First try <b>options</b> method, if it returns <b>allow: methods_allowed</b>, then note it down in our excel sheet.
57 |     Try with each seperate options such as <b>get</b> if nothing returned, 
58 |     server defintely returns error, sometime <b>method not implemented</b>
59 |       </pre>
60 |       
61 |  ### 4. Developer Docs
62 |   <pre>Documents for building third party apps by consuming first party web apps data.</pre>
63 |   <pre>Easy to find api endpoints which are accessible for thirdpaty, mostly this endpoints are also accessible by 
64 | our web applicaiton or by mobile application. Note down all endpoints from developer docs.</pre>
65 |  
66 |  
67 |  ### 5. Application.wadl
68 |  <pre>Java based web apps have this file application.wadl.
69 | This file is used by developers as reference. This will have all endpoints.</pre>
70 | <pre>It is accessible from root directory. <b>api.bank.xyz/application.wadl</b>
71 | </pre> 
72 |  ### 6. Options and HREF
73 |  <pre>In this step check for respons by firing OPTIONS and GET methods.</pre>
74 |  <pre>Fire OPTIONS method on endpoint, sometime it may return XML data which may have additional
75 | endpoints and also result for OPTIONS method.
76 | Search for HREF word in response, it may uncover additional endpoints.</pre>  
77 |  
78 |  ### 7. Way Back Machine
79 |  <pre>Use this step to uncover addtional endpoints which did'nt got covered in current document 
80 | but were implemented earlier.
81 | Here we check if some unused api still there and might be vulnerable.</pre>


--------------------------------------------------------------------------------
/Lesson 3/1-Privilege Escalation Attack.md:
--------------------------------------------------------------------------------
 1 | ### Privilege Escalation.
 2 | <pre>1. Horizontal vs Vertical Privelege Escalation.
 3 | 2. Visible vs Invisible role based privilege escalation.</pre>
 4 | 
 5 | ### <b>Privilege Escalation Testing Methods.</b>
 6 | <pre>1. Role based Testing Methodology.
 7 | 2. Privacy based Testing Methodology.
 8 | </pre>
 9 | 
10 | ### Role based Testing Methodology 
11 | <pre>1. Find all API endpoints.
12 | 2. Identify roles.
13 | 3. Try Privilege Escalation.</pre>
14 | 
15 | <pre>Privilege Escalation can be 
16 | 1. User to User.
17 | 2. Admin to Admin.
18 | 3. User to Admin.</pre>
19 | 
20 | <pre>In same excel sheet answer a question, how many roles are there.
21 | E.g. facebook has pages, pages have role such as administrator, editor, moderator, etc.
22 | So excel sheet will have.</pre>
23 | 
24 | |How many roles?|Multiple roles and tasks| 
25 | |---------------|-------------|
26 | |Administrator  |Admin of page. Page can have multiple admins.|
27 | |Editor         |Can edit or create posts.|
28 | 
29 | Now completely focus on privilege escalation.
30 | 
31 | ### Privacy based Testing Methodology
32 | 
33 | <pre>1. Find all API endpoints.
34 | 2. Identify privacy settings.
35 | 3. Try Privilege Escalation.</pre>
36 | 
37 | <pre><b>Note:</b> Privilege Escalation means accessing data which is not in our scope.
38 | In same excel sheet answer a question, what are privacy settings.
39 | A user to user privilege escalation is also as high as user to admin.
40 | E.g. In a room booking app, unpublished rooms are only accessible by admin and other 
41 | users can just view published rooms. So excalating privilege to access a unpublished room is a bug.</pre>


--------------------------------------------------------------------------------
/Lesson 4/sessions.md:
--------------------------------------------------------------------------------
1 | ### Sessions
2 | <pre>User identification is done based on session token or access token.</pre>
3 | 
4 | ### Methodology to check session security.
5 | <pre>
6 | Check if session-token/access-token <b><span style="color:#FF0000";>expires on logout.</span></b>
7 | Check if session-token/access-token <b><span style="color:#FF0000";>expires on password reset/change.</span></b>
8 | Check if session-token/access-token <b><span style="color:#FF0000";>expires on user removal.</span></b>
9 | Check if session-token/access-token <b><span style="color:#FF0000";>expires on changing roles.</span></b></pre>


--------------------------------------------------------------------------------
/Lesson 5/XML Attack.md:
--------------------------------------------------------------------------------
 1 | <h1> XXE Pentesting Methodology</h1>  
 2 | 
 3 | <p><pre><h2>1. XXE XML Entity Injection</h3>
 4 | <h4>1. Testing Viewable Injection</h4> 
 5 |       1. Search for api end points and change Content-Type to 
 6 |       <b>application/xml</b> 
 7 |         or 
 8 |       <b>text/xml</b> 
 9 |       and see if it is accepting xml.
10 |       2. check if we can use internal entities.
11 |       3. Check if we can use external entities using system keyword.
12 |       4. inject into viewable parameter.
13 |    
14 |    
15 | <h4>2. Testing Unviewable Injection</h4> 
16 |       1. Search for api end points and change Content-Type to 
17 |       <b>application/xml</b> 
18 |         or 
19 |       <b>text/xml</b> 
20 |       and see if it is accepting xml.
21 |       2. check if we can use internal entities.
22 |       3. Check if we can use external entities using system keyword.
23 |       4. send data to our out band server.</pre></p> 
24 |     
25 | <pre><h2>2. Simple Way to confirm XXE.</h3>  
26 |     Use pingb.in to check if we can receive external ping.</pre>
27 |     
28 | 
29 | <pre><h2>3. How it is patched</h3>
30 | 1. Block DTD
31 | 2. Block SYSTEM
32 | 3. Block specific URI's like file:/// http:// etc.
33 | </pre>
34 | 
35 | <pre><h2>4. How it can be bypassed</h3>
36 | 1. Use FTP to perform OOB data extraction
37 | 2. Use php:// to get RCE or exploit XXE
38 | 3. Use gopher or other URI handlers.
39 | </pre>
40 | 
41 | <pre><h2>5. Learn more indepth about xxe by labs on web-security by portswigger xxe exercise.</h3></pre>  
42 | 


--------------------------------------------------------------------------------
/Lesson 5/test xml scripts.txt:
--------------------------------------------------------------------------------
 1 | Internal XXE Test
 2 | <?xml version="1.0" encoding="UTF-8"?>
 3 | <stockCheck>
 4 |   <productId>&xxe;</productId>
 5 | </stockCheck>
 6 | 
 7 | External XXE Test
 8 | <?xml version="1.0" encoding="UTF-8"?>
 9 | <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
10 | <stockCheck><productId>&xxe;</productId></stockCheck>
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # API Pentesting Notes.
 2 | 
 3 | ### Notes on following topics.
 4 | <pre>
 5 | ├── Lesson-1
 6 | |  ├── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 1/1. Introduction.md">Introduction</a>       
 7 | |  └── 2-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 1/2. Notes detail Index.md">Notes detail Index</a> (Needs more editing at end)
 8 | |   
 9 | ├── Lesson-2
10 | |  └── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 2/1. Finding Hidden Endpoints.md">Finding Hidden endpoints</a>
11 | |
12 | ├── Lesson-3
13 | |  └── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 3/1-Privilege Escalation Attack.md">Privilege Escalation Attack</a>       
14 | |      ├── 1-Role Based Testing
15 | |      └── 2-Privacy Based Testing
16 | |
17 | ├── Lesson-4
18 | |  └── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 4/sessions.md">Session Misconfiguration</a>       
19 | |      └── 1-4 Test Cases
20 | |
21 | ├── Lesson-5
22 | |  ├── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week 5/XML Attack.md">XML Attacks cookie/token based</a>       
23 | |  └── 2-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/week%205/test%20xml%20scripts.txt">Internal External XML Test Scripts</a>
24 | |
25 | ├── Lesson-6
26 | |  ├── 1-<a href="https://github.com/omkar-ukirde/api-pentesting/blob/master/csrf-testing-methodology.md">CSRF Testing</a>  
27 | |
28 | ├── Lesson-7 Online LABS
29 | |  ├── 1- http://demo.testfire.net/swagger/index.html
30 | |  └── 2- http://rest.vulnweb.com/
31 | 
32 | Links for further learning:
33 | 
34 | Part 1
35 | https://medium.datadriveninvestor.com/api-security-testing-part-1-b0fc38228b93
36 | 
37 | Part 2
38 | https://saumyaprakashrana-51250.medium.com/api-security-testing-part-2-67ae9fb9c12
39 | 
40 | Playground for learning
41 | https://www.akto.io/test/access-control-bypass-by-changing-request-method-to-head
42 |   
43 | </pre>
44 | 
45 | 


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-hacker


--------------------------------------------------------------------------------
/cors-secret-method.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/omkar-ukirde/api-pentesting/6e2db25bc3fd4deaef5845c253c11a3dfafc9b59/cors-secret-method.png


--------------------------------------------------------------------------------
/csrf-testing-methodology.md:
--------------------------------------------------------------------------------
 1 | # Total 4 number of tests can be done on csrf
 2 | 
 3 | 1. Simple CSRF
 4 | 2. Anti CSRF token bypass
 5 | 3. CSRF Content-Type:text/plain
 6 | 4. CSRF FLASH
 7 | 
 8 | # 1. Simple CSRF Testing Methodology
 9 | 
10 | 1. Check if the given api endpoint is cookie based endpoint. </br>
11 | &nbsp;&nbsp;&nbsp;It must be cookie based. </br>
12 | 
13 | 2. Check if</br> 
14 | ****origin**** and ****referrer**** </br>
15 | header are not validated by server by deleting and resending the request. </br>
16 | > Origin: http://fl4tswa8w0y12jpm-apillab1.labs.peritustrainingschool.com </br>
17 | > Referer: http://fl4tswa8w0y12jpm-apillab1.labs.peritustrainingschool.com/Csrf1 </br> </br>
18 | 
19 | &nbsp;&nbsp;&nbsp;They must not be validated by server.</br>
20 | 
21 | 3. If server is not validating... :smiley:  </br>
22 | 
23 | 4. **Exploit it.** </br>
24 | 
25 | > Note: you can generate poc from burp.
26 | 
27 | # 2. Testing when Anti CSRF Tockens are enabled.
28 | 
29 | > Note: Please check all tests by changing request methods also. </br>
30 | 1. First, check by passing blank parameter value. Check if server accepts. (Use burp and remove token value) </br>
31 | > Token : Blank_Value </br>
32 | 
33 | 2. Second, Remove parameter and anti-CSRF token completely. </br>
34 | 
35 | 3. Add similar length token. (Change few values in token).</br>
36 | 
37 | 4. Add another user’s valid anti-CSRF token. </br>
38 | 
39 | # 3. CSRF Content-Type:text/plain
40 | 
41 | 1. Check if no anti-csrf tokens are used. If anti-csrf token is present try anti-csrf token bypass test.
42 | 2. Set `content-type=text/plain` and verify if the server is processing the request.
43 | 3. Exploitable.
44 | 


--------------------------------------------------------------------------------
/final-csrf-methodology.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/omkar-ukirde/api-pentesting/6e2db25bc3fd4deaef5845c253c11a3dfafc9b59/final-csrf-methodology.png


--------------------------------------------------------------------------------