How To Do Recon: API Enumeration

This week we cover how to do API enumeration/API Recon. I show you how to find new API endpoints using tools like Burp Intruder and Ffuf, as well as how to find hidden parameters using Arjun. Including how to act on this data and use it to find bugs! Did you know this episode was sponsored by Intigriti? Sign up with my link http://go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome! This episode was due to come out next week, but due to popular demand I have released it early for you folks, hopefully, you'll have some good data this week that you can hack on next week! Sorry for the references to next week's video! In this video we go through some theory first and do a little refresh on what an API is and how they word, then we go into the theory of recon before I do some live demos hacking on a fake API. I'd love to have done this video on a real bug bounty target, but with recon there's a lot I could miss or disclose on accident! Do you want to support me? Why not buy me a coffee? https://ko-fi.com/insiderphd Got questions? I have answers, Tweet at me https://twitter.com/InsiderPhD Timestamps 0:00 Introduction to the video & catchup 7:29 Introduction to API enumeration 16:15 Easy API Enumeration 20:01 Creating Wordlists 25:05 DEMO: Burp Intruder 35:07 DEMO: Ffuf 41:38 DEMO: Arjun 48:27 Analysing Arjun results 50:07 DEMO: Practical bug hunting Commands I run - Ffuf: ffuf -w wordlist.txt -u http://192.168.1.11:8000/api/FUZZ/6 -o output.txt -x http://127.0.0.1:8080 - Arjun (-x parameter sends to burp, ignore if you do not want to send requests to burp or you use the original version): python arjun.py -u http://192.168.1.11:8000/api/users --post -o data/result.json -x http://127.0.0.1:8080 Links to the stuff I talk about Example APIs - My Fake API: https://github.com/InsiderPhD/example-for-devslop - Twitter: https://developer.twitter.com/en/docs/tweets/search/api-reference - Facebook: https://developers.facebook.com/docs/graph-api - Yahoo: https://developer.yahoo.com/api/ Tools - Ffuf https://github.com/ffuf/ffuf - Arjun (my version) https://github.com/InsiderPhD/Arjun - Arjun (original) https://github.com/s0md3v/Arjun - Arjun dockerfile https://gist.github.com/InsiderPhD/f1eaa95b8479b54e8849beb596d669f5 Videos - Finding Your First Bug: Finding Bugs in APIs https://youtu.be/yCUQBc2rY9Y - API Hacking for the Actually Pretty Inexperienced Hacker https://youtu.be/qqmyAxfGV9c - Finding Your First Bug: Manual IDOR Hunting https://youtu.be/gINAtzdccts - IDOR Hunting With Firefox Containers https://youtu.be/zeDb9ugIGYs - (Nahamsec) Creating Wordlists for Hacking, Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More! https://youtu.be/QGbTaxtEQlg Wordlists - SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api & https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common-api-endpoints-mazen160.txt - Fuzzdb:https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/common-methods/common-methods.txt - SecLists Raft Words: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-small-words.txt