Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Discovering Api Endpoints
  • Testing api endpoints
  1. Web Application Pentesting(BlackBox)

Api Testing

What is an api? An api is server side code or program that allows one softwar, program or application to communicate with another software, program or application. Usually the api code written in one language spits data in a specific format like json or xml and this data is used by another program or application.

Discovering Api Endpoints

  • Burp will automatically find apis or we can crawl using burp.

  • Sometimes api endpoints can be placed on separate subdomains eg: https://api-dev.example.com

  • Try finding the api documentation via google dorks or some other techniques.

  • Common api documentation endpoints /api, /swagger/index.html, /openapi.json

  • IF you identify api resource eg: /api/swagger/v1/users/123 make sure to investigate /api/swagger/v1, /api/swagger, /api

  • Also read javascript files for valid api endpoints.

  • JS Link Finder can be a good tool to find api endpoints.

Testing api endpoints

  • Identify supported HTTP Methods like GET, POST, PUT, DELETE, OPTIONS because a single api endpoint eg: /api/tasks can be used to GET list of tasks, POST tasks and DELETE tasks.

  • Identify the content type

  • Maybe in javascript files you will find apis that are never used by the application and we may be able to use them?

  • We can fuzz for additional functons for example we have identified PUT /api/user/update now we can fuzz for other functions such as delete, add, etc.

  • Maybe there exists mass assignment vulnerability where we identify one parameter in an api request and use same parameter in another request? For example in the following api endpoint /api/checkout the response was 

{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]} so what what if during the checkout /api/purchase in the response {"chosen_products":[{"product_id":"1","quantity":1}]}

  • we add item_price to 000

PreviousServer Side Request ForgeryNextnoSQL

Last updated 10 months ago