API TESTING

API

• Try to identify as many endpoints as you can (going through all workflows in the application to generate API calls, Github. dirsearch, etc.)

• Try all methods (GET, POST, PUT, PATCH, DELETE, OPTIONS, QWE, etc.)

• Generate Error messages

• Send different type of data that it's not expecting (string, int, bool, array, etc.)

• Send malformed JSON eg: {"Testing":"hack test'""}

Scanning with Burp often generates error messages

• Send the request to Intruder
• Add positions to scan
• Right click
• Select Scan defined insertion points

RCE can sometimes be achieved with:

• SSTI
• File upload?
  ({"filename":"test.png","fileContent":"data:image/png;base64,..."})
  can also lead to XXE or Stored XSS

LOGICAL BUGS

• Play with 3 separate accounts:
  • 2 organizations (if applicable)
  • 2 users from one organization and 1 user from a different organization
• Try to view/modify/delete other users' information both in the same org and cross org
• Try to identify IDs through information leaks
• Use Burp Intruder

PRIVILEGE ESCALATIONS

• Play with 4 separate accounts:
  • 1 admin and 1 user per org each
• Replace the admin's authorization token with the one belonging to the regular user
  • Do the same cross org
• Try to access endpoints without any authorization token at all
• The Autorize Burp extension is great for this

IDOR

• Chain IDORs together to achieve ATO
• Can also lead to massive information leak (PII)