Web API Pentesting
[AD REMOVED]
API Pentesting Methodology Summary
Pentesting APIs involves a structured approach to uncovering vulnerabilities. This guide encapsulates a comprehensive methodology, emphasizing practical techniques and tools.
Understanding API Types
- SOAP/XML Web Services: Utilize the WSDL format for documentation, typically found at
?wsdl
paths. Tools like SOAPUI and WSDLer (Burp Suite Extension) are instrumental for parsing and generating requests. Example documentation is accessible at DNE Online. - REST APIs (JSON): Documentation often comes in WADL files, yet tools like Swagger UI provide a more user-friendly interface for interaction. Postman is a valuable tool for creating and managing example requests.
- GraphQL: A query language for APIs offering a complete and understandable description of the data in your API.
Practice Labs
- VAmPI: A deliberately vulnerable API for hands-on practice, covering the OWASP top 10 API vulnerabilities.
Effective Tricks for API Pentesting
- SOAP/XML Vulnerabilities: Explore XXE vulnerabilities, although DTD declarations are often restricted. CDATA tags may allow payload insertion if the XML remains valid.
- Privilege Escalation: Test endpoints with varying privilege levels to identify unauthorized access possibilities.
- CORS Misconfigurations: Investigate CORS settings for potential exploitability through CSRF attacks from authenticated sessions.
- Endpoint Discovery: Leverage API patterns to discover hidden endpoints. Tools like fuzzers can automate this process.
- Parameter Tampering: Experiment with adding or replacing parameters in requests to access unauthorized data or functionalities.
- HTTP Method Testing: Vary request methods (GET, POST, PUT, DELETE, PATCH) to uncover unexpected behaviors or information disclosures.
- Content-Type Manipulation: Switch between different content types (x-www-form-urlencoded, application/xml, application/json) to test for parsing issues or vulnerabilities.
- Advanced Parameter Techniques: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
- Version Testing: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
Tools and Resources for API Pentesting
- kiterunner: Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
kr scan https://domain.com/api/ -w routes-large.kite -x 20
kr scan https://domain.com/api/ -A=apiroutes-220828 -x 20
kr brute https://domain.com/api/ -A=raft-large-words -x 20 -d=0
kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
- https://github.com/BishopFox/sj: sj is a command line tool designed to assist with auditing of exposed Swagger/OpenAPI definition files by checking the associated API endpoints for weak authentication. It also provides command templates for manual vulnerability testing.
- Additional tools like automatic-api-attack-tool, Astra, and restler-fuzzer offer tailored functionalities for API security testing, ranging from attack simulation to fuzzing and vulnerability scanning.
- Cherrybomb: It's an API security tool that audit your API based on an OAS file(the tool written in rust).
Learning and Practice Resources
- OWASP API Security Top 10: Essential reading for understanding common API vulnerabilities (OWASP Top 10).
- API Security Checklist: A comprehensive checklist for securing APIs (GitHub link).
- Logger++ Filters: For hunting API vulnerabilities, Logger++ offers useful filters (GitHub link).
- API Endpoints List: A curated list of potential API endpoints for testing purposes (GitHub gist).
References
[AD REMOVED]