You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: latest/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md
+15-3Lines changed: 15 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -89,7 +89,7 @@ Even if you have the API documentation browsing the application is a good idea.
89
89
90
90
Browsing the application with an intercepting proxy such as ZAP or Burp Suite records endpoints for later inspection. In addition, using their built-in spidering functionality, intercepting proxies can help generate a comprehensive list of endpoints. From the spidered URLs look for links with obvious API URL naming schemes. These include:
91
91
92
-
-`https://example.com/api/v1` (or v2 etc)
92
+
-`https://example.com/api/v1` (or v2 etc)
93
93
-`https://example.com/graphql`
94
94
95
95
Or subdomains the the applications may consume or depend upon:
@@ -100,6 +100,18 @@ It is important that the pentester attempts to exercise as much functionality in
100
100
101
101
Once completed, the endpoint information obtained from browsing and spidering of the application can help the pentester compose API documentation of the target using other tools such as Postman.
102
102
103
+
### Analyze Intercepted Requests
104
+
105
+
When auditing REST APIs, use an interception proxy to collect full HTTP requests. REST services utilize more than just URL parameters, so capturing the complete request body and headers is critical.
106
+
107
+
Analyze the collected requests to identify non-standard or hidden parameters:
108
+
109
+
- Identify HTTP headers that influence application behavior or resource selection.
110
+
- Determine if a URL segment has a repeating pattern across multiple URLs. Patterns containing dates, numbers, or identifier values may indicate a URL-embedded parameter. For example, in the URL `https://api.example.com/user/2026-10-03/profile`, the date segment may represent a parameter value.
111
+
- Identify structured parameter values formatted in JSON, XML, or other custom structures.
112
+
- Examine the final element of a URL. If it lacks a file extension, it may be a parameter.
113
+
- Look for highly varying URL segments. If a single segment changes frequently across hundreds of requests, it is more likely to represent a parameter value than a static path component.
114
+
103
115
### Google Dorking
104
116
105
117
Using passive reconnaissance techniques such as Google Dorking with directives such as `site` and `inurl` allows us to tailor a search for common API keywords that the Google indexer may have found. Review [Conduct Search Engine Discovery Reconnaissance for Information Leakage](../01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md) for additional information.
@@ -132,7 +144,7 @@ An excellent source of API and other information is the HTML and JavaScript that
132
144
133
145
There are a variety of tools that we can use to help us extract sensitive information from JavaScript transmitted to the browser. These tools are typically based on one of two approaches: Regular Expressions or Abstract Syntax Trees (AST). Then there are generalized tools that help us organize or manage JS files for investigation by AST and Regular Expression tools.
134
146
135
-
Regex is more straightforward by searching JS or HTML content for known patterns. However, this approach can miss content not explicitly identified in the Regular Expression. Given the structure of some JS this approach can miss a lot. ASTs on the other hand are tree-like structures that represent the syntax of source code. Each node in the tree corresponds to a part of the code. For JavaScript, an AST breaks the code into basic components, allowing tools and compilers to understand and modify the code easily.
147
+
Regular expression is more straightforward by searching JS or HTML content for known patterns. However, this approach can miss content not explicitly identified in the Regular Expression. Given the structure of some JS this approach can miss a lot. ASTs on the other hand are tree-like structures that represent the syntax of source code. Each node in the tree corresponds to a part of the code. For JavaScript, an AST breaks the code into basic components, allowing tools and compilers to understand and modify the code easily.
All three of FFUF, DirBuster, and GoBuster are designed to discover hidden paths and files on web servers through brute-forcing techniques. All three use customizable wordlists to generate requests to the target web server, attempting to identify valid directories and files. All three support multi-threaded or highly efficient processing to speed up the brute-forcing process.
182
194
183
-
Some common wordlist files for APIs include: [SecLists](https://github.com/danielmiessler/SecLists) in the Discovery/Web-Content/api section, [GraphQL Wordlist](https://github.com/Escape-Technologies/graphql-wordlist), and [Assetnote](https://wordlists.assetnote.io/).
195
+
Some common wordlist files for APIs include: [SecLists](https://github.com/danielmiessler/SecLists) in the Discovery/Web-Content/API section, [GraphQL Wordlist](https://github.com/Escape-Technologies/graphql-wordlist), and [Assetnote](https://wordlists.assetnote.io/).
Copy file name to clipboardExpand all lines: latest/4-Web_Application_Security_Testing/12-API_Testing/03-Testing_for_Excessive_Data_Exposure.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -108,6 +108,10 @@ Example: An order endpoint returning an embedded customer object, a payment obje
108
108
109
109
Each nested object should be reviewed for fields that exceed what the consuming client needs.
110
110
111
+
### Test for Mass Assignment
112
+
113
+
For endpoints that accept a JSON or XML body, test for mass assignment vulnerabilities by adding extra fields to the request body beyond those displayed in the application interface. Fields such as role identifiers, privilege flags, or account status attributes are high-value targets.
114
+
111
115
### Check for Sensitive Data in GraphQL Responses
112
116
113
117
GraphQL APIs present a specific form of this issue. While GraphQL allows clients to select which fields they want, the schema may expose sensitive fields that the default UI queries do not request but that an attacker can add to a custom query.
### Test Function-Level Access with Different HTTP Methods
56
56
57
-
Test various **HTTP methods** for BFLA vulnerabilities:
57
+
Test various **HTTP methods** for BFLA vulnerabilities. Test each identified resource with alternative HTTP methods. Issue requests using methods other than those documented (such as `PUT`, `DELETE`, or `PATCH`) against endpoints that normally accept only `GET` or `POST`. Record any difference in response behavior or authorization outcome.
58
58
59
-
-**GET**: Attempt to access information available only to high-privilege users (e.g., administrators).
59
+
-**GET**: Attempt to access information available only to high-privilege users, such as administrators.
60
60
- Example: `GET /api/admin/getAllUsers`
61
-
-**POST/PUT/PATCH**: Attempt to modify or create sensitive resources (e.g., changing user roles, creating or deleting system-critical data).
61
+
-**POST/PUT/PATCH**: Attempt to modify or create sensitive resources, such as changing user rolesor system-critical data.
0 commit comments