Hacking APIs: Difference between revisions
Jump to navigation
Jump to search
m (→Wordlists) |
m (→Tools) |
||
Line 14: | Line 14: | ||
* https://github.com/arainho/awesome-api-security | * https://github.com/arainho/awesome-api-security | ||
* https://github.com/dsopas/MindAPI | * https://github.com/dsopas/MindAPI | ||
* Decode JSON Web Tokens (Online): https://jwt.io | * Decode JSON Web Tokens (Online): https://jwt.io | ||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token JWT - JSON Web Token] | * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token JWT - JSON Web Token] | ||
=== Wordlists === | === Fuzzing === | ||
* [https://blog.intigriti.com/2021/09/07/hacker-tools-kiterunner/ KiteRunner], [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Content_discovery API content discovery]. https://github.com/assetnote/kiterunner | |||
===# Wordlists #=== | |||
* Web API specific wordlists - See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Fuzzing Fuzzing]: | * Web API specific wordlists - See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon#Fuzzing Fuzzing]: | ||
# https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz | # https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz |
Revision as of 17:08, 7 August 2023
Labs
- Web Service & API Attacks [Paid]
- OWASP API Security Top 10 - 1 [Paid]
Prerequisite reading
- (Book) Hacking APIs: Breaking Web Application Programming Interfaces
- (Book) Black Hat GraphQL: Attacking Next Generation APIs
- SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
- OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
- GraphQL Injection
Tools
- https://github.com/arainho/awesome-api-security
- https://github.com/dsopas/MindAPI
- Decode JSON Web Tokens (Online): https://jwt.io
- JWT - JSON Web Token
Fuzzing
# Wordlists #
- Web API specific wordlists - See Fuzzing:
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
- https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
- https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
- https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt
Intercepting proxies
These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications.