hacktricks/pentesting/pentesting-web/web-api-pentesting.md

170 lines
8.3 KiB
Markdown
Raw Normal View History

2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
2021-06-08 20:47:44 +02:00
# Web API Pentesting
## Basic Information
Main:
* **Web Services (SOAP/XML)**
* The documentation uses **WSDL** format and is usually saved in the `?wsdl` path like `https://api.example.com/api/?wsdl`
* An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) (WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add)
* For parsing these files and create example requests you and use the tool **SOAPUI** or the **WSDLer** Burp Suite Extension.
2022-04-06 00:24:52 +02:00
* **REST APIs (JSON)**
* The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) (check the demo in the page)
* For parsing these files and create example requests you an use the tool **Postman**
2022-04-06 00:24:52 +02:00
* [**GraphQL**](graphql.md)
## Tricks
### SOAP/XML
These kind of APIs may be [**vulnerable to XXE**](../../pentesting-web/xxe-xee-xml-external-entity.md), but usually **DTD Declarations** are **disallowed** in the input from the user.
You could also try to use CDATA tags to insert payloads (as long as the XML is valid)
![](<../../.gitbook/assets/image (534).png>)
### Check Access
Usually some API endpoints are gong to need more privileges that others. Always try to access the more privileged endpoints from less privileged (unauthorized) accounts to see if it's possible.
### CORS
Always check the [**CORS**](../../pentesting-web/cors-bypass.md) configuration of the API, as if its allowing to end request with the credentials from the attacker domain, a lot of damage can be done via [**CSRF**](../../pentesting-web/csrf-cross-site-request-forgery.md) from authenticated victims.
### Patterns
Search for API patterns inside the api and try to use it to discover more.\
2021-11-30 17:46:07 +01:00
If you find _/api/albums/**\<album\_id>**/photos/**\<photo\_id>**_** ** you could try also things like _/api/**posts**/\<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints.
### Add parameters
Something like the following example might get you access to another users photo album:\
2021-11-30 17:46:07 +01:00
_/api/MyPictureList → /api/MyPictureList?**user\_id=\<other\_user\_id>**_
### Replace parameters
2021-11-30 17:46:07 +01:00
You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information
2021-11-30 17:46:07 +01:00
For example, if you see something like: _/api/albums?**album\_id=\<album id>**_
2021-11-30 17:46:07 +01:00
You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=\<account id>**_
### Parameter pollution
2022-04-06 00:24:52 +02:00
/api/account?**id=\<your account id>** → /api/account?**id=\<your account id>\&id=\<admin's account id>**
2021-03-04 12:50:43 +01:00
### Wildcard parameter
2021-11-30 17:46:07 +01:00
Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.**
2021-03-04 12:50:43 +01:00
2022-04-06 00:24:52 +02:00
* /api/users/\*
2021-03-04 12:50:43 +01:00
* /api/users/%
* /api/users/\_
* /api/users/.
2021-09-02 11:03:27 +02:00
### HTTP request method change
You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them.
### Request content-type
Try to play between the following content-types (bodifying acordinly the request body) to make the web server behave unexpectedly:
2021-11-30 17:46:07 +01:00
* **x-www-form-urlencoded** --> user=test
* **application/xml** --> \<user>test\</user>
* **application/json** --> {"user": "test"}
2021-03-04 12:50:43 +01:00
### Parameters types
2021-11-30 17:46:07 +01:00
If **JSON** data is working try so send unexpected data types like:
2021-03-04 12:50:43 +01:00
* {"username": "John"}
* {"username": true}
2021-03-05 13:03:56 +01:00
* {"username": null}
2021-03-04 12:50:43 +01:00
* {"username": 1}
* {"username": \[true]}
* {"username": \["John", true]}
2021-03-04 12:50:43 +01:00
* {"username": {"$neq": "lalala"}}
* any other combination you may imagine
2021-11-30 17:46:07 +01:00
If you can send **XML** data, check for [XXE injections](../../pentesting-web/xxe-xee-xml-external-entity.md).
2021-03-04 12:50:43 +01:00
If you send regular POST data, try to send arrays and dictionaries:
* username\[]=John
* username\[$neq]=lalala
2021-03-04 12:50:43 +01:00
### Play with routes
`/files/..%2f..%2f + victim ID + %2f + victim filename`
### Check possible versions
2021-09-14 12:56:33 +02:00
Old versions may be still be in use and be more vulnerable than latest endpoints
* `/api/v1/login`
* `/api/v2/login`\
2022-04-06 00:24:52 +02:00
* `/api/CharityEventFeb2020/user/pp/<ID>`
* `/api/CharityEventFeb2021/user/pp/<ID>`
## Owasp API Security Top 10
2021-11-30 17:46:07 +01:00
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
## API Security Checklist
{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}
## List of possible API endpoints
[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
## Tools
2022-04-06 00:24:52 +02:00
* [**https://github.com/imperva/automatic-api-attack-tool**](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
2021-09-02 11:03:27 +02:00
* [**https://github.com/microsoft/restler-fuzzer**](https://github.com/microsoft/restler-fuzzer): RESTler is the _first stateful REST API fuzzing tool_ for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification, and then generates and executes tests that exercise the service through its REST API.
2022-04-06 00:24:52 +02:00
* [**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing
* [**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints**
2022-04-28 18:01:33 +02:00
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>