Hacking APIs: Difference between revisions

Labs

• Web Service & API Attacks [Paid]
• OWASP API Security Top 10 - 1 [Paid]
  • OWASP API Security Top 10 - 2 [Paid]

Prerequisite reading

• (Book) Hacking APIs: Breaking Web Application Programming Interfaces
• (Book) Black Hat GraphQL: Attacking Next Generation APIs
• SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
• OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
• GraphQL Injection

Tools

• https://github.com/arainho/awesome-api-security
• KiteRunner, API content discovery. https://github.com/assetnote/kiterunner
• https://github.com/microsoft/restler-fuzzer
• https://github.com/dsopas/MindAPI
• Decode JSON Web Tokens (Online): https://jwt.io
• JWT - JSON Web Token

Wordlists

• Kiterunner is a contexual content discovery tool built by Assetnote built for testing APIs. You can use the .kite files with the Kiterunner tool. Additionally, the swagger-wordlist.txt dataset can be used with traditional content discovery tools: https://wordlists.assetnote.io

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications.

• https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
• https://www.zaproxy.org
• https://mitmproxy.org
• https://www.postman.com (API focused)
• https://github.com/projectdiscovery/proxify