API

Theory

The API pentesting methodology begins with reconnaissance, where information is gathered about the API, including its endpoints, parameters, and authentication methods. Next, testers assess authentication and authorization to ensure proper access control and attempt to bypass them. Input validation is then tested by sending crafted payloads to identify vulnerabilities like injection attacks. Business logic testing follows, ensuring the API handles data and functions correctly without unintended consequences. Rate limiting and denial-of-service (DoS) protections are evaluated to prevent excessive requests. Finally, a detailed report is created, documenting findings, vulnerabilities, and recommendations for remediation.

Practice

API types

SOAP/XML Web Services : SOAP (Simple Object Access Protocol) is an XML-based protocol for exchanging structured information in the implementation of web services.
REST APIs (JSON) : The specificity of a REST API lies in its statelessness, use of standard HTTP methods (GET, POST, PUT, DELETE), and resource-based structure with responses typically formatted in JSON or XML.
GraphQL : A query language for APIs offering a complete and understandable description of the data in your API.

Endpoints discovering

Discover API endpoint with fuzzing.

FFUF A fast web fuzzer written in Go.

bash

ffuf -w /path/to/wordlist -u https://target/FUZZ

Wordlist for discover API endpoints

chrislockard/api_wordlist

yassineaboukir/List of API endpoints & objects

HTTP method

Identify HTTP Method used on the endpoints

HTTPMethods this can be useful to look for HTTP verb tampering vulnerabilities and dangerous HTTP methods.

bash

httpmethods -u http://www.example.com/

Parameter tampering

Experiment with adding or replacing parameters in requests to access unauthorized data or functionalities.

Example:

https://target.com/api/users/1 --> 401
https://target.com/api?users=1 --> 200
https://target.com/api/users?1 --> 200

Version testing

Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.

Example:

https://target.com/api/v2/users/1 --> 401
https://target.com/api/v1/users/1 --> 200

Resources

hacktricks

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

API

Theory

Practice

API types

Endpoints discovering

HTTP method

Parameter tampering

Version testing

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

API ​

Theory ​

Practice ​

API types ​

Endpoints discovering ​

HTTP method ​

Parameter tampering ​

Version testing ​

Resources ​

API

Theory

Practice

API types

Endpoints discovering

HTTP method

Parameter tampering

Version testing

Resources