Hacking APIs - Revision history

Booda: /* Intercepting proxies */

2024-05-05T11:43:50Z

Intercepting proxies

← Older revision		Revision as of 11:43, 5 May 2024
Line 45:		Line 45:
	=== Intercepting proxies ===		=== Intercepting proxies ===
	These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.		These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web applications, mobile and APIs.
	* https://www.~~postman~~.com (API focused)		* https://www.usebruno.com (API focused)
	* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string])		* https://portswigger.net/burp (If a WAF is blocking Burpsuite then [https://stackoverflow.com/questions/70129432/how-to-bypass-cloudflare-protection-with-burp try editing your user-agent string])
	* https://www.zaproxy.org \| [https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap GraphQL Add-on for ZAP] to exploit GraphQL Introspection.		* https://www.zaproxy.org \| [https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap GraphQL Add-on for ZAP] to exploit GraphQL Introspection.

Booda: /* Tools */

2024-03-31T10:38:43Z

Tools

← Older revision		Revision as of 10:38, 31 March 2024
Line 41:		Line 41:
	* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]		* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
	* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer		* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
	* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks:https://github.com/streaak/keyhacks		* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks: https://github.com/streaak/keyhacks

	=== Intercepting proxies ===		=== Intercepting proxies ===

Booda: /* Tools */

2024-03-31T10:38:24Z

Tools

← Older revision		Revision as of 10:38, 31 March 2024
Line 41:		Line 41:
	* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]		* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
	* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer		* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer
			* If you have found API keys perhaps in a JavaScript file but are not sure how to test their validity use keyhacks:https://github.com/streaak/keyhacks

	=== Intercepting proxies ===		=== Intercepting proxies ===

Booda: /* Prerequisite reading */

2023-09-30T22:31:50Z

Prerequisite reading

← Older revision		Revision as of 22:31, 30 September 2023
Line 9:		Line 9:
	== Prerequisite reading ==		== Prerequisite reading ==
	* OWASP API Security Top 10: https://owasp.org/www-project-api-security \| https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf		* OWASP API Security Top 10: https://owasp.org/www-project-api-security \| https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
	* (Book) Hacking APIs: Breaking Web Application Programming Interfaces ~~(2022)~~		* (Book) Hacking APIs: Breaking Web Application Programming Interfaces
	* (Book) Black Hat GraphQL: Attacking Next Generation APIs ~~(2023)~~		* (Book) Black Hat GraphQL: Attacking Next Generation APIs
	* API Whitepapers and reports: https://salt.security/resources		* API Whitepapers and reports: https://salt.security/resources
	* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking~~) (2021~~)		* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking)
	* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS] ~~(2020)~~		* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS]
	* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql		* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
	* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql		* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

Booda: /* Prerequisite reading */

2023-09-30T22:31:18Z

Prerequisite reading

← Older revision		Revision as of 22:31, 30 September 2023
Line 11:		Line 11:
	* (Book) Hacking APIs: Breaking Web Application Programming Interfaces (2022)		* (Book) Hacking APIs: Breaking Web Application Programming Interfaces (2022)
	* (Book) Black Hat GraphQL: Attacking Next Generation APIs (2023)		* (Book) Black Hat GraphQL: Attacking Next Generation APIs (2023)
			* API Whitepapers and reports: https://salt.security/resources
	* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)		* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)
	* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS] (2020)		* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS] (2020)

Booda: /* Tools */

2023-09-25T00:03:08Z

Tools

← Older revision		Revision as of 00:03, 25 September 2023
Line 39:		Line 39:
	* graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f		* graphw00f is GraphQL Server Engine Fingerprinting utility: https://github.com/dolevf/graphw00f
	* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]		* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection GraphQL Injection]
			* GraphQL Introspection analyzer: https://github.com/gwen001/graphql-introspection-analyzer

	=== Intercepting proxies ===		=== Intercepting proxies ===

Booda: /* Exploitation */

2023-09-21T13:57:27Z

Exploitation

← Older revision		Revision as of 13:57, 21 September 2023
Line 66:		Line 66:

	== Exploitation ==		== Exploitation ==
	Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation		Although API specific exploitation may require scripting or custom payloads to mass scrape data or exploit logic based vulnerabilities it's still worth knowing common payloads and exploit tools for web applications: https://enlacehacktivista.org/index.php?title=Exploitation

Booda at 13:56, 21 September 2023

2023-09-21T13:56:50Z

← Older revision		Revision as of 13:56, 21 September 2023
Line 3:		Line 3:
	Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.		Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

	The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: ~~Json~~, ~~Xml~~ and ~~Yaml~~. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!		The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: JSON, XML and YAML. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

	See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.		See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.

Booda at 13:56, 21 September 2023

2023-09-21T13:56:26Z

← Older revision		Revision as of 13:56, 21 September 2023
Line 3:		Line 3:
	Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.		Currently there is a severe lack of security testing against APIs (mobile APIs especially) from the white hats, not a lot of efforts in testing and protecting APIs and typically organizations "protect" their APIs using WAFs which are ineffective at defending APIs as they are designed to protect web applications and not logic-based exploits.

	The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API formats are: Json, Xml and Yaml ~~for data transfer~~. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!		The top 3 most commonly used web APIs used today (2023) are: Rest, GraphQL and SOAP. Common API data transfer formats are: Json, Xml and Yaml. It's an easier attack vector (for now). Learn how to hack web APIs to facilitate your targeted attacks!

	See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.		See [https://enlacehacktivista.org/index.php?title=Scanning_and_Recon Scanning and Recon], [https://enlacehacktivista.org/index.php?title=Search_Engines_Resources Search Engines], [https://enlacehacktivista.org/index.php?title=Initial_Access_Tactics,_techniques_and_procedures Initial Access Tactics, techniques and procedures] and a [https://youtu.be/FqnSAa2KmBI hackers methodology] and [https://youtu.be/p4JgIu1mceI recon] as prerequisite's to hacking APIs.

Booda: /* Prerequisite reading */

2023-09-10T15:15:08Z

Prerequisite reading

← Older revision		Revision as of 15:15, 10 September 2023
Line 13:		Line 13:
	* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)		* (Book) Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities (Chapter 24 - API Hacking) (2021)
	* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS] (2020)		* SCORCHED EARTH: [https://web.archive.org/web/20230713230449if_/https://cdn-153.anonfiles.com/a5Q8c02azf/b80f3b8b-1689290042/Scorched-Earth-Whitepaper.pdf HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS] (2020)
			* Exploiting GraphQL: https://blog.assetnote.io/2021/08/29/exploiting-graphql
			* HackTricks - GraphQL: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql

	== Testing environments ==		== Testing environments ==