Active Recon
One shortcoming of performing passive reconnaissance is that youāre collecting information from secondhand sources. As an API hacker, the best way to validate this information is to obtain information directly from a target by port or vulnerability scanning, pinging, sending HTTP requests, making API calls, and other forms of interaction with a targetās environment. This section will focus on discovering an organizationās APIs using detection scanning, hands-on analysis, and targeted scanning.
Phase One:
Detection Scanning The goal of detection scanning is to reveal potential starting points for your investigation. Begin with general scans meant to detect hosts, open ports, services running, and operating systems currently in use, as described in the āBaseline Scanning with Nmapā section of this chapter. APIs use HTTP or HTTPS, so as soon as your scan detects these services, let the scan continue to run and move into phase two.
Phase Two: Hands-on Analysis
You should usually consider the application from three perspectives: guests, authenticated users, and site administrators.
Your first step is to visit the website in a browser, explore the site, and consider it from these perspectives. Here are some considerations for each user group:
Guest
How would a new user use this site? Can new users interact with the API? Is API documentation public? What actions can this group perform?
Authenticated User
What can you do when authenticated that you couldnāt do as a guest? Can you upload files? Can you explore new sections of the web application? Can you use the API? How does the web application recognize that a user is authenticated?
Administrator
Where would site administrators log in to manage the web app? What is in the page source? What comments have been left around various pages? What programming languages are in use? What sections of the website are under development or experimental?
Phase Three: Targeted Scanning
In the targeted scanning phase, refine your scans and use tools that are specific to your target. Whereas detection scanning casts a wide net, targeted scanning should focus on the specific type of API, its version, the web appli- cation type, any service versions discovered, whether the app is on HTTP or HTTPS, any active TCP ports, and other information gleaned from understanding the business logic. For example, if you discover that an API is running over a nonstandard TCP port, you can set your scanners to take a closer look at that port. If you find out that the web application was made with WordPress, check whether the WordPress API is accessible by visiting /wp-json/wp/v2. At this point, you should know the URLs of the web application and can begin brute-forcing uniform resource identifiers to find hiddenapplication directories and files
Nmap
Brute-Forcing URIs with FFUF
You can take word list from assetnote wordlist
Discovering API Content with Kiterunner
Generic Scan
Formats, json
Doing a generic bruteforce
-A : load assetnote wordlist
You can simultaneously utilize both -A and -w to include additional words.
Replay a request
See orginal request, application in debug mode
Result can be false positive so use burpsuite for further investigation.
Filter
More than one target:
Add Headers
Last updated