API Pentesting

Mindmap
{{Recon}}

V1

V2
API Version Discovery
V3
Import the API environment,
documentation and collections etc

Link BurpSuite proxy with Postman Product / open source

API Implementation Discovery
Activate the API environment Custom API Implementation

Discovering authentication systems, RESTful [Most common]

server's headers and requests
parameters body Postman These two steps should handle every API Type Discovery SOAP [Very rare]
function in the recon method together
OTP GraphQL [Newcomer]

Identifying authentication's WADL for RESTful API

login
endpoints.
etc Local WSDL for SOAP API

Analyzing JS code, like the JSON in API Documentations etc

the Tests tab
Any public documentation for API like the open source
Public
Importing WADL / WSDL file initially APIs
or using the Application's URL
GET
Analyze endpoint behaviors using SoapUI
the endpoint explorer POST

Link BurpSuite proxy with Postman HTTP Methods Discovery PATCH

Intercept and monitor every PUT

request / response
DELETE
Run the content discovery on the API
seeking for additional endpoints, WADL
actions and objects Endpoints gathering through local
WSDL
docs
Analyze request & response headers
and parameters BurpSuite Reconnaissance etc

Manipulate the request headers and the endpoints which requires authentication and other publicly
monitor the server's actions to the Weaponizing accessible.
manipulations
Cookie based (non-standard)
Authentication / Authorization
Run the JavaScript scans to analyze methods
JavaScript files in order to Header based (standard)
understand the API infrastructure Authentication &
Authorization JWT (JSON Web Token)
Endpoints
Encrypted value
Objects Fuzzing points
Arbitrary value to save the user's state
Methods / Actions Identification handlers
Encoded Serialized value
Link it with Burp in order to extend Fuzzing
FFUF
your sitemap range Encrypted Serialized value

BurpSuite Intruder Hashed user value e.g: hashed username, user ID

Tools
Link it with Burp in order to extend your Compare the local & public API documentations seeking for hidden functions, methods
Comparing docs
endpoints parameter range or endpoints.
(Vary from target to another)
Arjun Endpoints
Analyze the arjun output to check for
the possible vulnerable parameter API Fuzzing Actions AKA Methods

SecLists Objects

FuzzDB Mapping the API's request & response

body and headers.
Using wayback machine Behavior mapping
Wordlists
Identify the job of every API method
Using the API docs [It's vary from API to another]

e.g: JavaScript Source Code Reviewing Swagger API

Generating Custom Wordlist
API Visualization tools / interfaces
Organization's github repository if Custom Implementations
discovery
exists
etc
The source code of API product
- if it was open source -
Enumerate resources e.g: /api/{{products}}/122/edit

e.g: enumerate object identifiers: /

Enumerate objects
RESTful API enumeration api/users/{{1}}/edit

In this phase you should concentrate

more in the response headers, response
length and application's behaviors

Could be found in PayloadAllTheThings

Introspection query enumerating

Our aim of making this is to retrieve
every query that can be run in the
database and it's parameters
Enumeration GraphQL API enumeration
GraphQL Voyager

Visual representation tools It will show us the visual representation

of GraphQL which made use able to
analyze the GraphQL in a deep and
accurate way

API scanner for endpoints and content

Kiterunner
discovery.
Tools
Extracting paths from URL lists, this will
unfurl help in generating custom wordlists
phase.