Web API Pentesting

Basic Information

Main:

Web Services (SOAP/XML)
- The documentation uses WSDL format and is usually saved in the ?wsdl path like https://api.example.com/api/?wsdl
- An example of this documentation can be found in http://www.dneonline.com/calculator.asmx (WSDL document in http://www.dneonline.com/calculator.asmx?wsdl) and you can see an example request calling the Add method in http://www.dneonline.com/calculator.asmx?op=Add
- For parsing these files and create example requests you and use the tool SOAPUI or the WSDLer Burp Suite Extension.
REST APIs (JSON)
- The standard documentation is the WADL file. Find an example here: https://www.w3.org/Submission/wadl/. However, there are other more developer friendly API representation engines like https://swagger.io/tools/swagger-ui/ (check the demo in the page)
- For parsing these files and create example requests you an use the tool Postman
****GraphQL****

Tricks

SOAP/XML

These kind of APIs may be vulnerable to XXE, but usually DTD Declarations are disallowed in the input from the user.

You could also try to use CDATA tags to insert payloads (as long as the XML is valid)

Check Access

Usually some API endpoints are gong to need more privileges that others. Always try to access the more privileged endpoints from less privileged (unauthorized) accounts to see if it's possible.

CORS

Always check the CORS configuration of the API, as if its allowing to end request with the credentials from the attacker domain, a lot of damage can be done via CSRF from authenticated victims.

Patterns

Search for API patterns inside the api and try to use it to discover more. If you find /api/albums/<album_id>/photos/<photo_id> **you could try also things like _/api/posts/<post_id>/comment**/_. Use some fuzzer to discover this new endpoints.

Add parameters

Something like the following example might get you access to another user’s photo album: /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>

Replace parameters

You can try to fuzz parameters or use parameters you have seen in a different endpoints to try to access other information

For example, if you see something like: /api/albums?album_id=<album id>

You could replace the album_id parameter with something completely different and potentially get other data: /api/albums?account_id=<account id>

Parameter pollution

/api/account?id=<your account id> → /api/account?id=<your account id>&id=<admin's account id>

Wildcard parameter

Try to use the following symbols as wildcards: *, %, _, .

/api/users/*
/api/users/%
/api/users/_
/api/users/.

HTTP request method change

You can try to use the HTTP methods: GET, POST, PUT, DELETE, PATCH, INVENTED to try check if the web server gives you unexpected information with them.

Request content-type

Try to play between the following content-types (bodifying acordinly the request body) to make the web server behave unexpectedly:

x-www-form-urlencoded --> user=test
application/xml --> <user>test</user>
application/json --> {"user": "test"}

Parameters types

If JSON data is working try so send unexpected data types like:

{"username": "John"}
{"username": true}
{"username": null}
{"username": 1}
{"username": [true]}
{"username": ["John", true]}
{"username": {"$neq": "lalala"}}
any other combination you may imagine

If you can send XML data, check for XXE injections.

If you send regular POST data, try to send arrays and dictionaries:

username[]=John
username[$neq]=lalala

Play with routes

/files/..%2f..%2f + victim ID + %2f + victim filename

Check possible versions

Old versions may be still be in use and be more vulnerable than latest endpoints

/api/v1/login
/api/v2/login
/api/CharityEventFeb2020/user/pp/<ID>
/api/CharityEventFeb2021/user/pp/<ID>

Owasp API Security Top 10

Read this document to learn how to search and exploit Owasp Top 10 API vulnerabilities: https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf

API Security Checklist

GitHub - shieldfy/API-Security-Checklist: Checklist of the most important security countermeasures when designing, testing, and releasing your APIGitHub

List of possible API endpoints

https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d

Tools

****https://github.com/imperva/automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
https://github.com/microsoft/restler-fuzzer: RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification, and then generates and executes tests that exercise the service through its REST API.
****https://github.com/flipkart-incubator/Astra: Another tool for api testing
****https://github.com/assetnote/kiterunner: Great tool to discover API endpoints

PreviousVMWare (ESX, VCenter...)NextWebDav

Last updated 2 years ago