API Pentest: Information Gathering and Reconnaissance with examples

During the information gathering and reconnaissance phase of an API penetration test, you aim to collect as much information as possible about the target API.

This phase helps you understand the API’s functionality, endpoints, technologies, and potential vulnerabilities.

Here are some examples of tasks you might perform during this phase:

1. Review API Documentation:
   • Read any available API documentation, including user guides, developer manuals, and API reference guides.
   • Understand the purpose of the API, its endpoints, input parameters, and expected responses.
2. Explore Swagger / OpenAPI Documentation:
   • If the API uses Swagger or OpenAPI, review the API specification document.
   • This document outlines the API’s endpoints, input parameters, authentication methods, and more.
3. Web Application Scanning:
   • Use automated web application scanners to identify API endpoints and potential vulnerabilities.
   • Look for API-related URLs or paths in the scanner’s results.
4. Review Source Code:
   • If the API is part of a larger application, review the application’s source code.
   • Identify how the API is implemented, including how input is processed and data is handled.
5. Endpoint Discovery:
   • Manually explore the application to find hidden or undocumented API endpoints.
   • Look for patterns like “/api/v1” or “/services” in URLs.
6. Network Traffic Analysis:
   • Capture and analyze network traffic between client applications and the API.
   • Identify API endpoints, request parameters, and potential security headers.
7. HTTP Methods and Headers:
   • Identify which HTTP methods (GET, POST, PUT, DELETE, etc.) are supported by the API.
   • Analyze headers in API responses for security-related information.
8. Error Messages:
   • Trigger intentional errors in API requests to observe error messages.
   • Look for information that could aid attackers, such as stack traces or system paths.
9. Directory and File Enumeration:
   • Use directory and file brute-forcing tools to identify hidden or sensitive files on the server.
   • Look for configuration files, backup files, or hidden resources.
10. Subdomain Enumeration:
    • Identify subdomains associated with the API’s domain.
    • Subdomains might reveal additional API endpoints or services.
11. WHOIS and DNS Information:
    • Gather WHOIS information about the target domain.
    • Look up DNS records to identify associated IP addresses and services.
12. Technology Stack Identification:
    • Use fingerprinting tools to identify the technologies and frameworks used in the API.
    • This information can help you identify potential vulnerabilities.
13. Social Engineering and OSINT:
    • Gather information from social media, forums, and online resources related to the API.
    • Learn about potential internal naming conventions, developers, and technologies in use.
14. Authentication and Authorization Analysis:
    • Understand the API’s authentication methods (e.g., API keys, tokens, OAuth).
    • Analyze authorization mechanisms for different user roles and permissions.
15. API Token Analysis:
    • Identify how API tokens are issued, transmitted, and validated.
    • Check token expiration, scope, and associated permissions.
16. Endpoint Parameter Analysis:
    • Analyze input parameters for each API endpoint.
    • Identify potential injection points or vulnerabilities.

Remember that the goal of this phase is to gather comprehensive information about the API’s structure, functionality, and potential weak points. This information will guide your subsequent testing efforts and help you identify vulnerabilities effectively.

Below is a simple Python script that demonstrates some basic techniques for information gathering and reconnaissance during an API pentest.

Note: Please note that this script is for educational purposes and should only be used on systems you have explicit permission to test. Always follow ethical guidelines and obtain proper authorization before conducting any security testing.

Example 1: In this example, we’ll use the requests library to interact with the target API and gather information about its endpoints and headers.

import requests

def get_api_endpoints(base_url):
    response = requests.get(base_url)
    
    if response.status_code == 200:
        json_response = response.json()
        return json_response
    else:
        print(f"Error: Unable to fetch API endpoints. Status code: {response.status_code}")
        return None

def analyze_headers(response):
    print("Response Headers:")
    for header, value in response.headers.items():
        print(f"{header}: {value}")

if __name__ == "__main__":
    target_api_url = "https://api.example.com"
    
    print(f"Fetching API endpoints from {target_api_url}...")
    endpoints = get_api_endpoints(target_api_url)
    
    if endpoints:
        print("API Endpoints:")
        for endpoint in endpoints:
            print(endpoint)
            response = requests.get(target_api_url + endpoint)
            analyze_headers(response)
            print("=" * 40)
    else:
        print("Exiting...")

Example 2: Information Gathering and Reconnaissance from a curl request:

import subprocess
import json

def fetch_api_info(api_url):
    try:
        # Execute the curl command to fetch API information
        curl_command = ['curl', '-s', api_url]
        api_response = subprocess.check_output(curl_command, universal_newlines=True)
        
        # Parse JSON response
        api_info = json.loads(api_response)
        return api_info
    except Exception as e:
        print(f"Error: {e}")
        return None

if __name__ == "__main__":
    target_api_url = "https://api.example.com"
    
    print(f"Fetching API information from {target_api_url}...")
    api_info = fetch_api_info(target_api_url)
    
    if api_info:
        print("API Endpoints:")
        for endpoint in api_info:
            print(endpoint)
            print("=" * 40)
    else:
        print("Exiting...")

Example 3: Fetch API Endpoints and Response Headers

import subprocess
import json

def fetch_api_info(api_url):
    try:
        # Execute the curl command to fetch API information
        curl_command = ['curl', '-s', '-D', '-', api_url]
        api_response = subprocess.check_output(curl_command, universal_newlines=True)
        
        # Parse JSON response
        api_info = json.loads(api_response.split('\r\n\r\n', 1)[1])
        return api_info
    except Exception as e:
        print(f"Error: {e}")
        return None

if __name__ == "__main__":
    target_api_url = "https://api.example.com"
    
    print(f"Fetching API information from {target_api_url}...")
    api_info = fetch_api_info(target_api_url)
    
    if api_info:
        print("API Endpoints:")
        for endpoint in api_info:
            print(endpoint)
            print("=" * 40)
    else:
        print("Exiting...")

Example 4: Send a POST Request with Data

import subprocess
import json

def send_post_request(api_url, json_data):
    try:
        # Execute the curl command to send a POST request
        curl_command = ['curl', '-X', 'POST', '-H', 'Content-Type: application/json', '-d', json_data, api_url]
        response = subprocess.check_output(curl_command, universal_newlines=True)
        return response
    except Exception as e:
        print(f"Error: {e}")
        return None

if __name__ == "__main__":
    target_api_url = "https://api.example.com"
    json_data = '{"key": "value"}'
    
    print(f"Sending POST request to {target_api_url} with data: {json_data}...")
    response = send_post_request(target_api_url, json_data)
    
    if response:
        print("API Response:")
        print(response)
    else:
        print("Exiting...")

These examples demonstrate how to perform different API reconnaissance and interaction tasks using curl commands within a Python script. Be sure to adapt them to your specific testing needs and ensure proper authorization before conducting any security testing.