# Web API penetration testing
Web Application Firewall (WAF)
```sh
wafw00f
nuclei -u -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -H "Authorization: Bearer " -ts -silent
```
HTTP security headers
```sh
shcheck.py -i -k
nuclei -u -t http/misconfiguration/http-missing-security-headers.yaml -H "Authorization: Bearer " -ts -silent
```
No HTTP headers con divulgación de información.
* Server
* X-Powered-By
* X-AspNet\*
Expresión regular para identificar HTTP security headers recomendados.
```regex
Strict-Transport-Security|Content-Security-Policy|X-Content-Type-Options|Content-Type|X-Frame-Options|Referrer-Policy
```
HTTP methods (verbs)
Utilizar el método HTTP apropiado para cada operación y responder con un error `405 Method Not Allowed` si el método de la petición no es el apropiado.
* [Wordlist HTTP methods (verbs)](https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/http-methods-verbs/http-methods-verbs.txt).
Content-Type
Validar los `Content-Type` enviados (request) contra los `Content-Type` aceptados (response).
* [Wordlist Content-Type](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt).
Incluir en la respuesta (response) el HTTP header `X-Content-Type-Options`.
```http
X-Content-Type-Options: nosniff
```
Redireccionamiento estricto de HTTP a HTTPS
```sh
nmap -sV -p 80,443 -n -Pn
curl -I -l -H "Authorization: Bearer "
curl -H "Authorization: Bearer "
```
SSL/TLS y algoritmos de cifrados
```sh
sslscan
nuclei -u -t ssl -ts -silent
```
Fuzzing
Fuzzing de paths.
```sh
kr scan http:/// -w routes-large.kite
ffuf -u http:///api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 404 -o ffuf-fuzzing-paths.html -of html
```
Fuzzing de versiones (v1, v2, v3...).
Fuzzing parámetros GET.
```sh
arjun -u http:///api.php --headers "Authorization: Bearer "
ffuf -u http:///api.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-get-parameters.html -of html
```
Fuzzing valor de parámetros GET.
```sh
ffuf -u http:///api.php?=FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-get-parameters-values.html -of html
```
Fuzzing parámetros POST.
```sh
arjun -u http:///api.php --headers "Authorization: Bearer " -m
ffuf -u http:///api.php -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -X POST -d "FUZZ=test" -H "Authorization: Bearer " -H "Content-Type: application/x-www-form-urlencoded" -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-post-parameters.html -of html
```
Fuzzing valor de parámetros POST.
```sh
ffuf -u http:///api.php -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -X POST -d "=FUZZ" -H "Authorization: Bearer " -H "Content-Type: application/x-www-form-urlencoded" -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-post-parameters-values.html -of html
```
Fuzzing de archivos (según contexto de revisión).
```sh
# Wordlist
ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html
# Wordlist + extensiones (.html, .js, .php, .jsp, .aspx)
ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html
# Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc)
ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html
# Wordlist crawling + extensiones
ffuf -u http:///FUZZ -w :FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html
```
Autenticación y autorización
* Consumo de API con token de autenticación incorrecto.
* Consumo de API con HTTP header de autenticación, pero sin valor.
* Consumo de API sin HTTP header de autenticación.
* Consumo de API con token de autenticación expirado.
* No utilizar `Basic Authentication`.
* [JSON Web Token (JWT)](https://web.mrw0l05zyn.cl/explotacion/autenticacion-y-autorizacion/json-web-token-jwt).
* Insecure Direct Object References (IDOR).
Exposición de datos
* Divulgación de datos sensibles.
* Exposición de datos confidenciales a través del "query strings" en URL.
* Entrega de información excesiva.
Input data validation
Fuzzing y consumo de API con parámetros de entrada inválidos.
* [Wordlist caracteres especiales](https://raw.githubusercontent.com/MrW0l05zyn/pentesting/master/wordlists/api/special-characters.txt).
```
!@#$%^&~_-+=*.,:;'"\|/?[{()}]
!@#$%^&~_-+=*.,:;'\|/?[{()}]
!@#$%^&~_-+=*.,:;'|/?[{()}]
```
* [Wordlist valores numéricos](https://raw.githubusercontent.com/MrW0l05zyn/pentesting/master/wordlists/api/number-input-data-validation.txt).
* Longitud, rango, formato y tipo.
* Sin valor en parámetros.
* Sin parámetros.
Manejo de errores.
* Mensajes de errores genéricos.
* No revelar detalles del error innecesariamente.
* No entregar detalles técnicos referente al error.
Cross-origin resource sharing (CORS)
```sh
curl -I -X OPTIONS -H "Origin: https://web-maliciosa-atacante.com" -H "Authorization: Bearer "
```
* [Explotación con credenciales (ACAC)](https://web.mrw0l05zyn.cl/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors#explotacion-con-credenciales-acac).
* [Origin reflejado en Access-Control-Allow-Origin](https://web.mrw0l05zyn.cl/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors#origin-reflejado-en-access-control-allow-origin).
* [Access-Control-Allow-Origin con valor null](https://web.mrw0l05zyn.cl/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors#access-control-allow-origin-con-valor-null).
Restricciones de consumo
* Rate Limit: garantiza un número total de solicitudes en un intervalo de tiempo determinado. Comprueba si el número de solicitudes se encuentra dentro del intervalo de tiempo configurado, independientemente del tiempo entre cada solicitud. Cuando finaliza el intervalo, comienza uno nuevo y también se reinicia el recuento de solicitudes.
* Spike Arrest: garantiza una distancia de tiempo mínima entre dos solicitudes. Si no se respeta el tiempo entre dos solicitudes, no se aceptará la segunda y el código de error HTTP devuelto será 429.
* Caching: almacenamiento en caché.
* Batching attack (GraphQL).
Escaneo automatizado
* Burp Suite Professional.
* Nuclei.
```sh
nuclei -u -H "Authorization: Bearer " -ts -silent
```
* Burp Bounty Pro.
* OWASP Zed Attack Proxy (ZAP).
Vulnerabilidades
* [HTTP Host header](https://web.mrw0l05zyn.cl/explotacion/http-host-header).
* [Cross-site scripting (XSS)](https://web.mrw0l05zyn.cl/explotacion/cross-site-scripting-xss).
* [Path traversal & file inclusion](https://web.mrw0l05zyn.cl/explotacion/path-traversal-and-file-inclusion).
* [Command injection](https://web.mrw0l05zyn.cl/explotacion/command-injection).
* [SQL injection (SQLi)](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli).
* [MySQL / MariaDB](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli/mysql-mariadb).
* [Microsoft SQL Server](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli/microsoft-sql-server).
* [PostgreSQL](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli/postgresql).
* [Oracle](https://web.mrw0l05zyn.cl/explotacion/sql-injection-sqli/oracle).
```sh
# General
sqlmap -r request-general-1.txt --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
sqlmap -r request-general-2.txt --level=5 --risk=3 --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
# Parámetros GET
sqlmap -r request-get-1.txt --method GET -p ",," --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
sqlmap -r request-get-2.txt --method GET -p ",," --level=5 --risk=3 --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
# HTTP Headers
sqlmap -r request-headers-1.txt --header=": *" --header=": *" --header=": *" --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
sqlmap -r request-headers-2.txt --level=5 --risk=3 --header=": *" --header=": *" --header=": *" --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080
```
* [NoSQL injection (NoSQLi)](https://web.mrw0l05zyn.cl/explotacion/nosql-injection-nosqli).
* [XML external entity (XXE) injection](https://web.mrw0l05zyn.cl/explotacion/xml-external-entity-xxe-injection).
* [CRLF injection](https://web.mrw0l05zyn.cl/explotacion/crlf-injection).
* [XPath injection](https://web.mrw0l05zyn.cl/explotacion/xpath-injection).
* [LDAP injection](https://web.mrw0l05zyn.cl/explotacion/ldap-injection).
* [PDF injection](https://web.mrw0l05zyn.cl/explotacion/pdf-injection).
* [Server-side template injection (SSTI)](https://web.mrw0l05zyn.cl/explotacion/server-side-template-injection-ssti).
* [Server-side parameter pollution](https://web.mrw0l05zyn.cl/explotacion/server-side-parameter-pollution).
* [Server-side request forgery (SSRF)](https://web.mrw0l05zyn.cl/explotacion/server-side-request-forgery-ssrf).
* [Web cache poisoning](https://web.mrw0l05zyn.cl/explotacion/web-cache-poisoning).
* [HTTP request smuggling](https://web.mrw0l05zyn.cl/explotacion/http-request-smuggling).
* [GraphQL](https://web.mrw0l05zyn.cl/explotacion/graphql).