Skip to content

Latest commit

 

History

History
407 lines (305 loc) · 11.8 KB

MindAPI.md

File metadata and controls

407 lines (305 loc) · 11.8 KB

MindAPI

Reconnaissance

Identify architecture

Architecture

  • REST API
  • GraphQL
  • SOAP
  • XML-RPC
  • JSON-RPC
  • gRPC-Protobuf
    • Identify grpc
      • Accept request header
      • Content-Type request header
      • Access-control-expose-headers in the response header

Documentation

Check for documentation

Automatic

Swagger
WADL
  • /application.wadl
  • /application.wadl?detail=true
  • /api/application.wadl
WSDL
GraphQL

Manual

  • site:target.tld intitle:api | developer

Search for APIs

Traffic Analysis

Wayback Machine

Path Manipulation

  • /api/v1
  • /api/v2
  • /api/v3

Dorks

Google
  • site:target.tld inurl:api
  • intitle:"index of" "api.yaml" site:target.tld
  • intitle:"index of" intext:"apikey.txt" site:target.tld
  • allintext:"API_SECRET*" ext:env | ext:yml site:target.tld
Github

API Directories

Enumerate endpoints / methods

Endpoints

GraphQL
Swagger
Other
WADL

Tools

ffuf
Amass
nuclei
Jaeles
Arjun
ParamSpider
param-miner
TnT-Fuzzer

Supported Content Types

  • Play with request URL
    • Requested resource extension e.g. replacing .json by .xml
    • Query string e.g. replacing ?json by ?xml or ?format=json by ?format=xml
  • Play with Content-Type request header and payload
    • Without Content-Type, submit either json, xml, ...
    • Changing Content-Type and payload accordingly

Testing

Broken Object Level Authorization

Endpoint receives an ID?

Understand the pattern
  • Sequential
  • Encoded
  • Other
Tamper
Change
  • Next value
  • Previous value
  • Data Type
    • Is it a number? Change it to a string
    • Is it a string? Change it to a number
  • Method -> GET to POST
Duplicate
  • ?id=1&id=2
Add as an array
  • ?id[]=1&id[]=2
Wildcard
  • GET /users/id -> GET /users/*
cross-deployments IDs
  • Identify other deployments (hosts) of your target API
  • Enumerate resources IDs (often non- numerical/sequential ones)
  • Test those IDs on your target API host

Check the response

Tools

Broken Authentication

Test

URL sensitive data
  • Passwords
  • Tokens
Brute force attacks
  • Login
  • Forget Password
  • Forget Username
Authenticity of tokens
Password
Strength
  • Changing Password
  • Registration
Type
  • Plain text
  • Weak encryption
  • Weak hash algorithm
API Keys
  • Predictable
  • Weak hash algorithm

Types of Authentication

JWT
Test JWT secret brute-forcing
Abusing JWT Public Keys Without knowing the Public Key
Test if algorithm could be changed
Test token expiration time (TTL, RTTL)
Test if sensitive data is in the JWT
Check for Injection in "kid" element
Check for time constant verification for HMAC
Check that keys and secrets are different between ENV
OAuth
  • Test redirect_uri
    • Open redirects
      • Common issues
        • ?redirect_uri=https://atttacker.com
        • ?redirect_uri=https://ATTACKER.TARGET.TLD
        • ?redirect_uri=https://ALLOWED_HOST.com/callback?redirectUrl=https://attacker.com
        • ?redirect_uri=https://TARGET.TLD.attacker.com
        • ?redirect_uri=https://TARGET.TLD%252eattacker.com
        • ?redirect_uri=https://TARGET.TLD//attacker.com/
      • Fuzz
        • ?redirect_uri=https://TARGET.TLD§FUZZ§
        • ?redirect_uri=https://§FUZZ§TARGET.TLD
    • XSS
  • Test the existence of response_type=token
  • Testing state
    • Missing state parameter?
      • CSRF
        • Generate a valid authorization_code and don't use it
          • Send the crafted CSRF page to TARGET
    • Predictable state parameter?
    • Is state parameter being verified?
  • If you revocate access, will code be also revocated?
Basic Auth

Excessive Data Exposure

Check if the API returns full data objects from database with sensitive data

Compare client data with the API response to check if the filtering is done by client side

Sniff the traffic to check for sensitive data returned by the API

Lack of Resources & Rate Limiting

Execution timeouts

Test brute-force attacks

Max allocable memory

Number of file descriptors

Number of processes

Request payload size (e.g. uploads)

Number of requests per client/resource

Number of records per page to return in a single request response

Broken Function Level Authorization

  • Can a regular user access administrative endpoints? (MindAPI recon can help you here)
  • Testing different HTTP methods (GET, POST, PUT, DELETE, PATCH) will allow level escalation?
  • Enumerate/Bruteforce endpoints for getting unauthorized requests (MindAPI recon can help you here)

Mass Assignment

Enumerate object properties

  • API documentation (Reconnaissance)
  • Inspect available API clients' network traffic
    • Desktop
    • Mobile
    • Web
  • Exercise data retrieval endpoints
    • watch-out for ?include=user.addresses,user.cards-like parameters
  • Uncover hidden properties
    • Guessing, based on API context
    • Reverse engineering available API clients
    • Fuzzing

Craft request payloads

  • Include augmented objects
    • One additional property at a time
    • Possible combinations of properties
    • All enumerated properties at once
  • Vary properties data types/values
    • Number, String, Array, Object
    • State values: to-do -> in-progress -> done (keep in mind possible state transitions)
  • Test different operation types
    • Create
    • Update

Security Misconfiguration

The latest security patches are missing, or the systems are out of date.

Can you use other HTTP verbs?

Test if Transport Layer Security (TLS) is missing

Test for security headers

CORS is well configured?

Force an error to see if any sensitive information is exposed

GraphQL

Injection

Test if user input is validated, filtered, or sanitized by the API

Test if client data is used or concat into DB queries, OS commands, etc

Check if incoming data from external systems is validated, filtered, or sanitized by the API

Improper Assets Management

  • Check for the API documentation (MindAPI recon can help you here)
  • Hosts inventory is missing or outdated.
  • Integrated services inventory, either first- or third-party, is missing or outdated.
  • Old or previous API versions are running unpatched.