Improper Asset Management
Search for older versions
api.target.com/v3
/api/v2/accounts
/api/v3/accounts
/v2/accounts
Accept: version=2.0
Accept api-version=3
/api/accounts?ver=2
POST /api/accounts
{
"ver":1.0,
"user":"hapihacker"
}Search for non production versions
api.test.target.com
api.uat.target.com
beta.api.com
/api/private
/api/partner
/api/testIDOR
IDORGET v2/user/profile?clubname=123
GET v1.0/user/profile?clubname=321 Postman
Postman Collection Runner
collection options, choose Edit, and select the Tests tab
pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
})Run an unauthenticated baseline scan of the collection with the Collection Runner. Make sure that "Save Responses"
Next, use "Find and Replace" to turn the collection's current versions into a variable. Type the current version into "Find", update "Where" to the targeted collection, and update "Replace With" to a variable.
Open Postman and navigate to the environmental variables (use the eye icon located at the top right of Postman as a shortcut). Add a variable named "ver" to your Postman environment and set the initial value to "v1".
Use the collection runner again and investigate the results
Interesting Books
Interesting BooksHacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated