API SEC

1. API Reconnaissance

Passive Reconnaissance

• Google Dorks

• Github Dorks

• Shodan Dorks

• Archive.org

Active Reconnaissance

• Gobuster

• Amass

2. Endpoint Analysis

• Postman - intercept API requests

• Mitmweb

• mitmproxy2swagger -i flows-2 -o spec.yml -p http://crapi.apisec.ai -f flow

• mitmproxy2swagger -i flows-2 -o spec.yml -p http://crapi.apisec.ai -f flow --examples

• editor.swagger.io

3. Scanning APIs

• OWASP ZAP

  • Import OpenAPI definition

  • Automated scanner - Manual Explore

4. API Authentication Attacks

• sequencer: analyse the randomness of tokens

• jwt_tool : https://exploit-notes.hdks.org/exploit/web/jwt-pentesting/ , Portswigger

• crunch 5 5 > keys

5. Exploiting API Authorization

Broken Object Level Authorization (BOLA)

• Search for IDs in URL and body parameters

Broken Function Level Authorization (BFLA)

• Change IDs in CRUD request

6. Improper Assets Management

• Check for old versions of the API : maybe it still contain old vulnerabilities

7. Mass Assignment

• Overwrite object properties

• Add parameters to the user registration process to escalate privilege