REST API

Attack REST API

RESTful APIs are stateless, so when a consumer authenticates to these APIs, no session is created between the client and server. Instead, the API consumer must prove their identity within every request sent to the API provider’s web server.

Swagger UI

https://openapi.security/openapi.security

JSON Injection

Swagger Jacker

GitHub - BishopFox/sj: A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.GitHub

CherryBomb

GitHub - blst-security/cherrybomb: Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.GitHub

cherrybomb --file swagger.json --profile passive

https://www.youtube.com/watch?v=pfrmItMLTLgwww.youtube.com

Astra

Automated Security Testing For REST API's

GitHub - flipkart-incubator/Astra: Automated Security Testing For REST API'sGitHub

Automatic API Attack Tool

GitHub - imperva/automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.GitHub

URL Encoding

GET /api/%61dmin/users

Fullwidth or Homoglyph Characters

POST /api/users
Content-Type: application/json

{
  "ｕｓｅｒｎａｍｅ": "admin"
}

Mixing Encodings in Payloads

POST /api/login
Content-Type: application/json

{
  "us\u0065rname": "admin",
  "password": "letmein"
}

POST /api/users
Content-Type: application/json

{
  "username": "ad\u006din"
}

Content-Type Confusion and Polyglot Payloads

POST /api/profile
Content-Type: application/xml

{"username":"admin"}

Header and Parameter Encoding Tricks

GET /api/products?category=%252e%252e%252fadmin

Resources

Hacking APIs: Attacking REST APIs Through Serialization Format ManipulationMedium

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSwagger UI NextImproper Asset Management

Last updated 6 months ago

hashtagSwagger Jacker

hashtagCherryBomb

hashtagAstra

hashtagAutomatic API Attack Tool

hashtagURL Encoding

hashtagFullwidth or Homoglyph Characters

hashtagMixing Encodings in Payloads

hashtagContent-Type Confusion and Polyglot Payloads

hashtagHeader and Parameter Encoding Tricks

hashtagResources

hashtagInteresting Books

hashtagSupport this Gitbook