ZAP Scanner & other scanning methods

Scan API

Import the right-click on the root and choose to do an active scan.

Authenticated scan

Use the Manual Explore option.

Set the URL to your target, make sure the HUD is enabled, and choose "Launch Browser"

Visit all pages and perform all action then launch active scan: "attack mode on"

Scan API using nuclei and Burp

SquareSec - Cybersecurity CoursesSquareSec - Cybersecurity Courses

Obtain the OpenAPI documentation of your target - either the API provides this on their documentation website, or you can search for it on SwaggerHub, or you can use a "API reverse engineering" tool like Burp2API or Postman Interceptor. I suggest using OpenAPI version 3 because Nuclei will look for the "servers" tag within the documentation, and version 2 don't have it
Set up Burp listening interfaces - if we want to proxy traffic from Nuclei Docker through the Burp instance that runs on our host OS we have to make sure that Burp listens to all interfaces as shown below

Pull Nuclei Docker image and run the container - for this I use DockerDesktop on Windows and run the command within its terminal. The host.docker.internal in the -proxy is how we tell Docker to use the Host as a proxy. If you use Windows/Linux you won't have to change it
```
docker run --rm -v "C:\path\to\openapi.json:/openapi.json" projectdiscovery/nuclei -l /openapi.json -im openapi -V "Authorization=123" -skip-format-validation -proxy http://host.docker.internal:8080
```
Update the API Servers - open the OpenAPI Documentation and search for the servers tag -> make sure to set the domain where the API is hosted:
```
"servers":[{"url":"https://api.example.com"},{"url":"https://api.us-east-2.test.example.cloud"},{"url":"http://localhost:8000"}]
```
Update the volume path - -v "C:\path\to\openapi.json:/openapi.json") to match the place where you saved the OpenAPI documentation on the host OS
Update the variables values - add/remove the variables (-V "Authorization=123") based on your OpenAPI requirements. Additionally you can add the -skip-format-validation flag. Nuclei will throw an error if it can't find a mandatory variable
Match & Replace in Burp - Add a match & replace rule in Burp to inject your Authorization tokens, CSRF tokens and any other HTTP header that may be required. For whatever reason the -V "Authorization=123" didn't do that, but we can use Burp -> Automodifying Requests on the Fly
Enable Burp Extensions - before you proceed with the Nuclei scan, you can also enable Collaborator Everywhere and Autorize to increase chances of finding SSRF and Broken Authorization/Authentication vulnerabilities

Now you should have all the endpoints documented in the OpenAPI file automatically tested by Nuclei & Burp Extensions

Scan using Nuclei

Start to get all the API endpoints

API Discovery / Reco

Scan without authentication

nuclei -t nuclei-templates/http/ -l endpoints.txt

Scan with token authentication

nuclei -t custom-templates/ -l api-endpoints.txt -H 'Authorization: Bearer <token>'

Nuclei API Custom Templates

Hacking APIs : Nuclei for REST/API Penetration TestingMedium

Broken User Authentication

id: broken-auth-basic
info:
  name: Broken User Authentication - Default Password
  severity: high
  tags: api,auth,owasp
requests:
  - method: POST
    path:
      - '{{BaseURL}}/api/login'
    headers:
      Content-Type: application/json
    body: '{"username": "admin", "password": "admin"}'
    matchers:
      - type: word
        words:
          - "token"
        part: body

Excessive Data Exposure

id: excessive-data-exposure
info:
  name: Excessive Data Exposure in API Response
  severity: medium
  tags: api,exposure,owasp
requests:
  - method: GET
    path:
      - '{{BaseURL}}/api/users/1'
    matchers:
      - type: word
        words:
          - "password"
          - "ssn"
          - "credit_card"
        part: body

Lack of Resources & Rate Limiting

id: no-rate-limiting
info:
  name: No Rate Limiting Detected
  severity: medium
  tags: api,rate-limit,owasp
requests:
  - method: POST
    path:
      - '{{BaseURL}}/api/login'
    headers:
      Content-Type: application/json
    body: '{"username": "user", "password": "wrong"}'
    attack: clusterbomb
    payloads:
      password:
        - wrong1
        - wrong2
        - wrong3
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

Mass Assignment

id: mass-assignment
info:
  name: Mass Assignment Vulnerability
  severity: high
  tags: api,mass-assignment,owasp
requests:
  - method: POST
    path:
      - '{{BaseURL}}/api/users'
    headers:
      Content-Type: application/json
    body: '{"username":"newuser","role":"admin"}'
    matchers:
      - type: word
        words:
          - "admin"
        part: body

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousPostman Usage NextSwagger UI

Last updated 1 month ago