Api Testing
What is an api? An api is server side code or program that allows one softwar, program or application to communicate with another software, program or application. Usually the api code written in one language spits data in a specific format like json or xml and this data is used by another program or application.
Discovering Api Endpoints
Burp will automatically find apis or we can crawl using burp.
Sometimes api endpoints can be placed on separate subdomains eg:
https://api-dev.example.comTry finding the api documentation via google dorks or some other techniques.
Common api documentation endpoints
/api,/swagger/index.html,/openapi.jsonIF you identify api resource eg:
/api/swagger/v1/users/123make sure to investigate/api/swagger/v1,/api/swagger,/apiAlso read javascript files for valid api endpoints.
JS Link Finder can be a good tool to find api endpoints.
Testing api endpoints
Identify supported HTTP Methods like GET, POST, PUT, DELETE, OPTIONS because a single api endpoint eg:
/api/taskscan be used to GET list of tasks, POST tasks and DELETE tasks.Identify the content type
Maybe in javascript files you will find apis that are never used by the application and we may be able to use them?
We can fuzz for additional functons for example we have identified
PUT /api/user/updatenow we can fuzz for other functions such as delete, add, etc.Maybe there exists mass assignment vulnerability where we identify one parameter in an api request and use same parameter in another request? For example in the following api endpoint
/api/checkoutthe response was
{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]} so what what if during the checkout /api/purchase in the response {"chosen_products":[{"product_id":"1","quantity":1}]}we add item_price to 000
Last updated