Blackbox API Discovery

Always examine every underlying component returned by web server.

Discovery via Verb Tampering

When we have an API, for example:

http://apiurl:8080

We can use dirbuster in order to discover hidden API calls:

gobuster dir -u http://apigateway:8000 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -s "200,204,301,302,307,401,403,405,500"

Files / Folder enumeration payloads: https://bernas.gitbook.io/oscp-everything/web/information-gathering#file-enumeration

403 vs 401

403 -> Should not be accessible even with credentials

401 -> Should be available after providing the right credentials

You should examine endpoints by passing them to Burp Suite in order to check how can we sucessfully send the request (bypassing / providing credentials).

NextType Juggling

Last updated 14 days ago