Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  1. API Reconnaissance

Passive Reconnaissance

Passive API Reconnaissance is the act of obtaining information about a target without directly interacting with the target’s systems. When you take this approach, your goal is to find and document public information about your target’s attack surface.

Typically, passive reconnaissance leverages open-source intelligence (OSINT), which is data collected from publicly available sources. You will be on the hunt for API endpoints, exposed credentials, version information, API documentation, and information about the API’s business purpose. Any discovered API endpoints will become your targets later, during active reconnaissance. Credential-related information will help you test as an authenticated user or, better, as an administrator. Version information will help inform you about potential improper assets and other past vulnerabilities. API documentation will tell you exactly how to test the target API. Finally, discovering the API’s business purpose can provide you with insight into potential business logic flaws.

As you are collecting OSINT, it is entirely possible you will stumble upon a critical data exposure, such as API keys, credentials, JSON Web Tokens (JWT), and other secrets that would lead to an instant win. Other high-risk findings would include leaked PII or sensitive user data such as SSN, full names, email addresses, and credit card information. These sorts of findings should be documented and reported immediately because they present a valid critical weakness.

Now we will check out a few passive reconnaissance techniques that can be leveraged to discover APIs. Including Google Dorking, Git Dorking, API Repositories, the Way Back Machine, and Shodan.

PreviousIntroduction to API ReconnaissanceNextGoogle Dorking

Last updated 1 year ago