Blackbox API Discovery

Always examine every underlying component returned by web server.

Discovery via Verb Tampering

When we have an API, for example:

http://apiurl:8080

We can use dirbuster in order to discover hidden API calls:

gobuster dir -u http://apiurl:8080 -w ~/pentest/tools/SecLists/Discovery/Web-Content/raft-medium-directories.txt -b "" -s "200,204,301,302,307,401,403,405,500"

Files / Folder enumeration payloads: https://bernas.gitbook.io/oscp-everything/web/information-gathering#file-enumeration

In the next step we have to enumerate endpoints with python script crafted by ourself.

The python script has to send at least both GET and POST requests. Whenever you will codes other than 404 or 403 you have discovered an endpoint we can possibly use.

403 vs 401

403 -> Should not be accessible even with credentials

401 -> Should be available after providing the right credentials

You should examine endpoints by passing them to Burp Suite in order to check how can we sucessfully send the request (bypassing / providing credentials).

NextWorking with Websockets

Last updated 3 months ago