Last active
August 8, 2023 19:33
-
-
Save Uyavuz24/84901fc4cc7d282060e0eb2e4c837f5c to your computer and use it in GitHub Desktop.
Our checklist for testing APIs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* If worldist can't find anything on api, use hakrawler | |
* every domain could have an api. add jSON extension to endpoints and see response | |
* If IDs are not numerical. Try to find leaked IDs from other places. (e.g.: posts the user created, and other features) | |
* Some endpoints will return you UUID as a response to e-mail adress etc... | |
* If there is no leak of User ID, just swap with user id of another account you created | |
* Look for permissions in every endpoint | |
* change lowercase to uppercase or vice versa in endpoints | |
* After finding endpoints, Arjun it | |
* Use all HTTP Request methods | |
* Look for IDORs in HTTP headers and body | |
* Always try numeric IDs. Maybe you can accsess to non numerical ID place using numerical IDs. (e.g.: replace amail@google.com with "100") | |
* If api/v1/trips/666 returned 403, intrude it from 0 to 10000. The response may change | |
* Hunt for special event features | |
* Got 401/403 errors? AuthZ bypass tricks: | |
Wrap ID with an array {“id”:111} --> {“id”:[111]} | |
JSON wrap {“id”:111} --> {“id”:{“id”:111}} | |
Send ID twice URL?id=<LEGIT>&id=<VICTIM> | |
Send wildcard {"user_id":"*"} | |
* Also look for other endpoints or subdomains for bypassing auth | |
* There can be many endpoints handling auth | |
* If you're working on an old domain, the api maybe able to handle SOAP as well. So, chnage the content-type to "application/xml" and a simple XML in the request body | |
* Enumarate the api calls done by web app front end | |
* If there is an export to THAT file feature. Try HTML/CSS/JS injection | |
* APIs don't parse HTML but the front-end does. So, you may be able to bypass XSS protection by directly making request to API. | |
* If you know what's working on backend. Look for exploiting that framework/language features using internet. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment