From d405732c50cc8941f1362d1eda63e135842898b8 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 4 Mar 2021 11:50:43 +0000 Subject: [PATCH] GitBook: [master] one page modified --- pentesting/pentesting-web/api-pentesting.md | 28 +++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/pentesting/pentesting-web/api-pentesting.md b/pentesting/pentesting-web/api-pentesting.md index 4d8ebf04..1141648d 100644 --- a/pentesting/pentesting-web/api-pentesting.md +++ b/pentesting/pentesting-web/api-pentesting.md @@ -28,6 +28,15 @@ You could **replace** the **`album_id`** parameter with something completely dif /api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>** +### Wildcard parameter + +Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.** + +* /api/users/\* +* /api/users/% +* /api/users/\_ +* /api/users/. + ### HTTP requet method change You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them. @@ -40,6 +49,25 @@ Try to play between the following content-types \(bodifying acordinly the reques * **application/xml** --> <user>test</user> * **application/json** --> {"user": "test"} +### Parameters types + +If **JSON** data is working try so send unexpected data types like: + +* {"username": "John"} +* {"username": true} +* {"username": 1} +* {"username": \[true\]} +* {"username": \["John", true\]} +* {"username": {"$neq": "lalala"}} +* any other combination you may imagine + +If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md). + +If you send regular POST data, try to send arrays and dictionaries: + +* username\[\]=John +* username\[$neq\]=lalala + ### Play with routes `/files/..%2f..%2f + victim ID + %2f + victim filename`