coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-03-04 11:50:43 +00:00 committed by gitbook-bot
parent 17b7f4d0da
commit d405732c50
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pentesting/pentesting-web/api-pentesting.md
View File

@ -28,6 +28,15 @@ You could **replace** the **`album_id`** parameter with something completely dif
/api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>**
### Wildcard parameter
Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**
* /api/users/\*
* /api/users/%
* /api/users/\_
* /api/users/.
### HTTP requet method change
You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.
@ -40,6 +49,25 @@ Try to play between the following content-types \(bodifying acordinly the reques
* **application/xml** --> <user>test</user>
* **application/json** --> {"user": "test"}
### Parameters types
If **JSON** data is working try so send unexpected data types like:
* {"username": "John"}
* {"username": true}
* {"username": 1}
* {"username": \[true\]}
* {"username": \["John", true\]}
* {"username": {"$neq": "lalala"}}
* any other combination you may imagine
If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
If you send regular POST data, try to send arrays and dictionaries:
* username\[\]=John
* username\[$neq\]=lalala
### Play with routes
`/files/..%2f..%2f + victim ID + %2f + victim filename`