Hacking APIs

From Enlace Hacktivista

Revision as of 00:40, 7 August 2023 by Booda (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Labs

Web Service & API Attacks [Paid]
OWASP API Security Top 10 - 1 [Paid]
- OWASP API Security Top 10 - 2 [Paid]

Prerequisite reading

(Book) Hacking APIs: Breaking Web Application Programming Interfaces
(Book) Black Hat GraphQL: Attacking Next Generation APIs
SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
GraphQL Injection

Tools

https://github.com/arainho/awesome-api-security
KiteRunner, API content discovery. https://github.com/assetnote/kiterunner
https://github.com/microsoft/restler-fuzzer
https://github.com/dsopas/MindAPI
Decode JSON Web Tokens (Online): https://jwt.io
JWT - JSON Web Token

Wordlists

Kiterunner is a contexual content discovery tool built by Assetnote built for testing APIs. You can use the .kite files with the Kiterunner tool. Additionally, the swagger-wordlist.txt dataset can be used with traditional content discovery tools: https://wordlists.assetnote.io

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications.

https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
https://www.zaproxy.org
https://mitmproxy.org
https://www.postman.com (API focused)
https://github.com/projectdiscovery/proxify

Retrieved from "https://enlacehacktivista.org/index.php?title=Hacking_APIs&oldid=1410"