Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  1. API Reconnaissance
  2. Active Reconnaissance

DevTools

PreviousKiterunnerNextDirectory Brute-Forcing

Last updated 1 year ago

DevTools contains some highly underrated web application hacking tools. The following steps will help you easily and systematically filter through thousands of lines of code in order to find sensitive information in page sources. Begin by opening your target page, and then open DevTools with F12 or CTRL-SHIFT-l. Adjust the DevTools window until you have enough space to work with. Select the Network tab and then refresh the page (CTRL+r).

You can use the filter tool to search for any term you would like, such as "API", "v1", or "graphql". This is a quick way to find API endpoints in use. You can also leave the Devtools Network tab open while you perform actions on the web page. For example, let's check out what happens if we leave the DevTools open while we authenticate to crAPI. You should see a new request pop up. At this point, you can dive deeper into the request by right-clicking on one of the requests and selecting "Edit and Resend".

This will allow you to check out the request in the browser, edit the headers/request body, and send it back to the API provider. Although this is a great DevTools feature, you may want to move into a browser that was meant for interacting with APIs. You can use DevTools to migrate individual requests over to Postman using cURL.

Once you have copied the desired request, open Postman. Select Import and click on the "Raw text" tab. Paste in the cURL request and select import.

Once the request has been imported it will have all of the necessary headers and the request body necessary to make additional requests in Postman. This is a great way to quickly interact with an API and interact with a single API request. To automatically build out a more complete Postman Collection check out the next module which is on Reverse Engineering an API.

Reconnaissance is extremely important when testing APIs. Discovering API endpoints is a necessary first step when attacking APIs. Good recon also has the added benefit of potentially providing you with the keys to the castle in the form of API keys, passwords, tokens, and other useful information disclosures.