# Web API penetration testing

```sh wafw00f nuclei -u -t dns/dns-waf-detect.yaml,http/technologies/secui-waf-detect.yaml,http/technologies/waf-detect.yaml -H "Authorization: Bearer " -ts -silent ```

```sh shcheck.py -i -k nuclei -u -t http/misconfiguration/http-missing-security-headers.yaml -H "Authorization: Bearer " -ts -silent ``` No HTTP headers con divulgación de información. * Server * X-Powered-By * X-AspNet\* Expresión regular para identificar HTTP security headers recomendados. ```regex Strict-Transport-Security|Content-Security-Policy|X-Content-Type-Options|Content-Type|X-Frame-Options|Referrer-Policy ```

HTTP methods (verbs)

Utilizar el método HTTP apropiado para cada operación y responder con un error `405 Method Not Allowed` si el método de la petición no es el apropiado. * [Wordlist HTTP methods (verbs)](https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/http-methods-verbs/http-methods-verbs.txt).

Content-Type

Validar los `Content-Type` enviados (request) contra los `Content-Type` aceptados (response). * [Wordlist Content-Type](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt). Incluir en la respuesta (response) el HTTP header `X-Content-Type-Options`. ```http X-Content-Type-Options: nosniff ```

Redireccionamiento estricto de HTTP a HTTPS

```sh nmap -sV -p 80,443 -n -Pn curl -I -l -H "Authorization: Bearer " curl -H "Authorization: Bearer " ```

SSL/TLS y algoritmos de cifrados

```sh sslscan nuclei -u -t ssl -ts -silent ```

Fuzzing

Fuzzing de paths. ```sh kr scan http:/// -w routes-large.kite ffuf -u http:///api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 404 -o ffuf-fuzzing-paths.html -of html ``` Fuzzing de versiones (v1, v2, v3...). Fuzzing parámetros GET. ```sh arjun -u http:///api.php --headers "Authorization: Bearer " ffuf -u http:///api.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-get-parameters.html -of html ``` Fuzzing valor de parámetros GET. ```sh ffuf -u http:///api.php?=FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -H "Authorization: Bearer " -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-get-parameters-values.html -of html ``` Fuzzing parámetros POST. ```sh arjun -u http:///api.php --headers "Authorization: Bearer " -m ffuf -u http:///api.php -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -X POST -d "FUZZ=test" -H "Authorization: Bearer " -H "Content-Type: application/x-www-form-urlencoded" -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-post-parameters.html -of html ``` Fuzzing valor de parámetros POST. ```sh ffuf -u http:///api.php -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -X POST -d "=FUZZ" -H "Authorization: Bearer " -H "Content-Type: application/x-www-form-urlencoded" -c -mc all -fc 301,404 -fs -o ffuf-fuzzing-post-parameters-values.html -of html ``` Fuzzing de archivos (según contexto de revisión). ```sh # Wordlist ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt:FUZZ -c -mc all -fc 404 -o ffuf-fuzzing-files.html -of html # Wordlist + extensiones (.html, .js, .php, .jsp, .aspx) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .html,.js,.php,.jsp,.aspx -c -mc all -fc 404 -o ffuf-fuzzing-extensions.html -of html # Wordlist + extensiones (ocultos / .txt, .config, .old, .bak, .inc) ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt:FUZZ -e .txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-extensions-hidden.html -of html # Wordlist crawling + extensiones ffuf -u http:///FUZZ -w :FUZZ -e .html,.js,.php,.jsp,.aspx,.txt,.config,.old,.bak,.inc -c -mc all -fc 404 -o ffuf-fuzzing-crawling-extensions.html -of html ```

Autenticación y autorización

* Consumo de API con token de autenticación incorrecto. * Consumo de API con HTTP header de autenticación, pero sin valor. * Consumo de API sin HTTP header de autenticación. * Consumo de API con token de autenticación expirado. * No utilizar `Basic Authentication`. * [JSON Web Token (JWT)](/explotacion/autenticacion-y-autorizacion/json-web-token-jwt.md). * Insecure Direct Object References (IDOR).

Exposición de datos

* Divulgación de datos sensibles. * Exposición de datos confidenciales a través del "query strings" en URL. * Entrega de información excesiva.

Input data validation

Fuzzing y consumo de API con parámetros de entrada inválidos. * [Wordlist caracteres especiales](https://raw.githubusercontent.com/MrW0l05zyn/pentesting/master/wordlists/api/special-characters.txt). ``` !@#$%^&~_-+=*.,:;'"\|/?[{()}] !@#$%^&~_-+=*.,:;'\|/?[{()}] !@#$%^&~_-+=*.,:;'|/?[{()}] ``` * [Wordlist valores numéricos](https://raw.githubusercontent.com/MrW0l05zyn/pentesting/master/wordlists/api/number-input-data-validation.txt). * Longitud, rango, formato y tipo. * Sin valor en parámetros. * Sin parámetros. Manejo de errores. * Mensajes de errores genéricos. * No revelar detalles del error innecesariamente. * No entregar detalles técnicos referente al error.

Cross-origin resource sharing (CORS)

```sh curl -I -X OPTIONS -H "Origin: https://web-maliciosa-atacante.com" -H "Authorization: Bearer " ``` * [Explotación con credenciales (ACAC)](/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors.md#explotacion-con-credenciales-acac). * [Origin reflejado en Access-Control-Allow-Origin](/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors.md#origin-reflejado-en-access-control-allow-origin). * [Access-Control-Allow-Origin con valor null](/explotacion/same-origin-policy-sop/cross-origin-resource-sharing-cors.md#access-control-allow-origin-con-valor-null).

Restricciones de consumo

* Rate Limit: garantiza un número total de solicitudes en un intervalo de tiempo determinado. Comprueba si el número de solicitudes se encuentra dentro del intervalo de tiempo configurado, independientemente del tiempo entre cada solicitud. Cuando finaliza el intervalo, comienza uno nuevo y también se reinicia el recuento de solicitudes. * Spike Arrest: garantiza una distancia de tiempo mínima entre dos solicitudes. Si no se respeta el tiempo entre dos solicitudes, no se aceptará la segunda y el código de error HTTP devuelto será 429. * Caching: almacenamiento en caché. * Batching attack (GraphQL).

Escaneo automatizado

* Burp Suite Professional. * Nuclei. ```sh nuclei -u -H "Authorization: Bearer " -ts -silent ``` * Burp Bounty Pro. * OWASP Zed Attack Proxy (ZAP).

Vulnerabilidades

* [HTTP Host header](/explotacion/http-host-header.md). * [Cross-site scripting (XSS)](/explotacion/cross-site-scripting-xss.md). * [Path traversal & file inclusion](/explotacion/path-traversal-and-file-inclusion.md). * [Command injection](/explotacion/command-injection.md). * [SQL injection (SQLi)](/explotacion/sql-injection-sqli.md). * [MySQL / MariaDB](/explotacion/sql-injection-sqli/mysql-mariadb.md). * [Microsoft SQL Server](/explotacion/sql-injection-sqli/microsoft-sql-server.md). * [PostgreSQL](/explotacion/sql-injection-sqli/postgresql.md). * [Oracle](/explotacion/sql-injection-sqli/oracle.md). ```sh # General sqlmap -r request-general-1.txt --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 sqlmap -r request-general-2.txt --level=5 --risk=3 --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 # Parámetros GET sqlmap -r request-get-1.txt --method GET -p ",," --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 sqlmap -r request-get-2.txt --method GET -p ",," --level=5 --risk=3 --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 # HTTP Headers sqlmap -r request-headers-1.txt --header=": *" --header=": *" --header=": *" --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 sqlmap -r request-headers-2.txt --level=5 --risk=3 --header=": *" --header=": *" --header=": *" --random-agent --threads=10 --batch --flush-session --hostname --proxy=http://127.0.0.1:8080 ``` * [NoSQL injection (NoSQLi)](/explotacion/nosql-injection-nosqli.md). * [XML external entity (XXE) injection](/explotacion/xml-external-entity-xxe-injection.md). * [CRLF injection](/explotacion/crlf-injection.md). * [XPath injection](/explotacion/xpath-injection.md). * [LDAP injection](/explotacion/ldap-injection.md). * [PDF injection](/explotacion/pdf-injection.md). * [Server-side template injection (SSTI)](/explotacion/server-side-template-injection-ssti.md). * [Server-side parameter pollution](/explotacion/server-side-parameter-pollution.md). * [Server-side request forgery (SSRF)](/explotacion/server-side-request-forgery-ssrf.md). * [Web cache poisoning](/explotacion/web-cache-poisoning.md). * [HTTP request smuggling](/explotacion/http-request-smuggling.md). * [GraphQL](/explotacion/graphql.md).

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://web.mrw0l05zyn.cl/checklist/web-api-penetration-testing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.