Hacking APIs: Difference between revisions
Jump to navigation
Jump to search
Line 22: | Line 22: | ||
== Intercepting proxies == | == Intercepting proxies == | ||
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications. | These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications. | ||
* https://portswigger.net/burp | * https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string]) | ||
* https://www.zaproxy.org | * https://www.zaproxy.org | ||
* https://mitmproxy.org | * https://mitmproxy.org | ||
* https://www.postman.com [https://enlacehacktivista.org/index.php?title=Learn_to_hack#API_Hacking (API focused)] | * https://www.postman.com [https://enlacehacktivista.org/index.php?title=Learn_to_hack#API_Hacking (API focused)] | ||
* https://github.com/projectdiscovery/proxify | * https://github.com/projectdiscovery/proxify |
Revision as of 19:57, 3 August 2023
Labs
- Web Service & API Attacks [Paid]
- OWASP API Security Top 10 - 1 [Paid]
Prerequisite reading
- (Book) Hacking APIs: Breaking Web Application Programming Interfaces
- (Book) Black Hat GraphQL: Attacking Next Generation APIs
- SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
- OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
- GraphQL Injection
Tools
- https://github.com/arainho/awesome-api-security
- KiteRunner, API content discovery. https://github.com/assetnote/kiterunner
- https://github.com/microsoft/restler-fuzzer
- https://github.com/dsopas/MindAPI
- Decode JSON Web Tokens (Online): https://jwt.io
- JWT - JSON Web Token
Intercepting proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications.