API Reconnaissance
Passive Reconnaissance
Information to look for:
Exposed credentials
API documentation
API business purpose
Type and version of technologies in use (framework, programming language, dependencies, etc.)
Sensitive information
API Keys
Etc.
How?
Google Dorking
Google Dorking Query | Expected results |
---|---|
inurl:"/wp-json/wp/v2/users" | Finds all publicly available WordPress API user directories. |
intitle:"index.of" intext:"api.txt" | Finds publicly available API key files. |
inurl:"/api/v1" intext:"index of /" | Finds potentially interesting API directories. |
ext:php inurl:"api.php?action=" | Finds all sites with a XenAPI SQL injection vulnerability. (This query was posted in 2016; four years later, there are currently 141,000 results.) |
intitle:"index of" api_key OR "api key" OR apiKey -pool | This is one of my favorite queries. It lists potentially exposed API keys. |
Git Dorking
Look for potential leaks and secrets. Check for commits and potential bugs.
Keywords:
api key
api keys
apikey
authorization: Bearer
access_token
secret
token
Check for History, Commits, Issues and Pull Requests.
In GitHub, split the view to see where the changes have been made.
Automation of Github leaks possible with TruffleHog.
Finding endpoints
Uses Shodan and WayBackMachine to find assets and endpoints related to your target. If you can find an older version of the API documentation in the archive, compare the old version with the new one. Also, check for Zombies endpoints, which are endpoints that are retired, but still online.
Active Reconnaissance
Involves interacting with the target directly.
Tools: nmap, Amass, GoBuster, kiterunner, DevTools
Nmap
Uses nmap to identify open ports and services. The general methodology is to identify all open ports on a target. Then, we can narrow down the scope of the next nmap scan to only identify services on previously identified open ports. Then, we can run script on a limited numbers of ports depending on the hosted services.
Amass
Perform active and passive enumeration of a target. The two most important options are
intel
: Collect open source intelligence for investigation of the target organization.
enum
: Perform DNS enumeration and network mapping of systems exposed to the Internet
See more on Amass here.
KiteRunner
Very powerful tool to identify API endpoints and resources. Uses common API common methods such as GET
, POST
, PUT
, DELETE
. Mimic API behavior and requests. Comes with a Replay options to replay a request and identify interesting results.
Use Kitrunner with an authorization token to access endpoints we could not when unauthenticated.
DevTools
The DevTools browser can be leveraged to find API endpoints. While browsing the web application, we can turn on the DevTools and visit to the Network Tab. Then, we can press CTRL+F and search for specific terms such as "/api", "/graphql", "/v1", etc.
We can also used the Copy as cURL
button and paste the query to Raw Text in the Import functionality to migrate this request to Postman.
We will then be able to replay this request into Postman.
Last updated