Information Gathering

Endpoint Enumeration

SecLists download command: git clone https://github.com/danielmiessler/SecLists.git

You can find interesting wordlists in this catalogs:

~/SecLists/Discovery/Web-Content/api/

/usr/share/wordlists/dirb/

API paths are often followed by a version number, resulting in a pattern such as:

/api_name/v1

That means we can inject our payloads in the api_name field

{GOBUSTER}/v1

You can enumerate the API endpoints using Gobuster:

Prepare the pattern file. In this way Gobuster knows where to inject the payloads.

{GOBUSTER}/v1
{GOBUSTER}/v2

Run Gobuster.

gobuster dir -u http://<IP>:<PORT> -w <WORDLIST_PATH> -p <PATTERN_FILE_PATH>

When you will discover endpoints do not stop.

Bruteforce everything that you have found until there is nothing to do anymore. Combine gained information and try harder.

Exploitation Tips

Test for OWASP API TOP 10 https://owasp.org/API-Security/editions/2023/en/0x11-t10/

You can just use curl or intercept the request with :

curl <IP>:<PORT>/<ENDPOINT> --proxy <PROTOCOL>://<IP>:<PORT>

  • Login to the API with credentials found elsewhere

  • Create new user with admin flag set to true (Broken Object Property Level Authorization)

  • Guess required body parameters

  • Combine gain information from different endpoints

Authorization Types

Here you can find different types of authorization:

https://compile7.org/decompile/authorization-request-headers-explained/

PreviousWebshellsNextLinux

Last updated