Hacking APIs: Difference between revisions

Labs

• HackTheBox (HTB) Academy: Web Service & API Attacks [Paid]
• TryHackMe (THM): OWASP API Security Top 10 - 1 [Paid]
  • TryHackMe (THM): OWASP API Security Top 10 - 2 [Paid]

Prerequisite reading

• (Book) Hacking APIs: Breaking Web Application Programming Interfaces
• (Book) Black Hat GraphQL: Attacking Next Generation APIs
• SCORCHED EARTH: HACKING BANKS AND CRYPTOCURRENCY EXCHANGES THROUGH THEIR APIS
• OWASP API Security Top 10: https://owasp.org/www-project-api-security | https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf
• GraphQL Injection

Tools

• A collection of API Security tools and resources: https://github.com/arainho/awesome-api-security
• Organize your API security assessment by using MindAPI - Bringing order to API hacking chaos!: https://github.com/dsopas/MindAPI | MindAPI
• Decode JSON Web Tokens (Online): https://jwt.io
• JWT - JSON Web Token

Fuzzing

• KiteRunner, web API content discovery. https://github.com/assetnote/kiterunner

Wordlists

• Web API specific wordlists - See Fuzzing:

1. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz
2. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz
3. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz
4. https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz
5. https://wordlists-cdn.assetnote.io/rawdata/kiterunner/swagger-files.tar
6. https://wordlists-cdn.assetnote.io/data/kiterunner/swagger-wordlist.txt

• https://wordlists.assetnote.io

Intercepting proxies

These let you view, edit, and replay requests, and are extremely useful for finding vulnerabilities in web, mobile and API applications.

• https://portswigger.net/burp (If a WAF is blocking Burpsuite then try editing your user-agent string)
• https://www.zaproxy.org
• https://mitmproxy.org
• https://www.postman.com (API focused)
• https://github.com/projectdiscovery/proxify