👨🎤Identifying and Interacting with API Endpoint
Last updated
Last updated
While browsing the application, look for patterns that suggest API endpoints in the URL structure, such as /api/
. Also look out for JavaScript files. These can contain references to API endpoints that you haven't triggered directly via the web browser.
Burp Scanner automatically extracts some endpoints during crawls, but for a more heavyweight extraction, use the JS Link Finder BApp. You can also manually review JavaScript files in Burp.
Identify API Endpoints
Interact with them using burp repeater and intruder
This enables you to observe the API's behavior and discover additional attack surface. For example, you could investigate how the API responds to changing the HTTP method and media type.
Review the error messages
As you interact with the API endpoints, review error messages and other responses closely. Sometimes these include information that you can use to construct a valid HTTP request.
The HTTP method specifies the action to be performed on a resource. For example:
GET
- Retrieves data from a resource.
PATCH
- Applies partial changes to a resource.
OPTIONS
- Retrieves information on the types of request methods that can be used on a resource.
For example, the endpoint /api/tasks
may support the following methods:
GET /api/tasks
- Retrieves a list of tasks.
POST /api/tasks
- Creates a new task.
DELETE /api/tasks/1
- Deletes a task.
Note
When testing different HTTP methods, target low-priority objects. This helps make sure that you avoid unintended consequences, for example altering critical items or creating excessive records.
API endpoints often expect data in a specific format. They may therefore behave differently depending on the content type of the data provided in a request. Changing the content type may enable you to:
Trigger errors that disclose useful information.
Bypass flawed defenses.
Take advantage of differences in processing logic. For example, an API may be secure when handling JSON data but susceptible to injection attacks when dealing with XML.
To change the content type, modify the Content-Type
header, then reformat the request body accordingly. You can use the Content type converter BApp to automatically convert data submitted within requests between XML and JSON.
Once you have identified some initial API endpoints, you can fuzz to uncover hidden endpoints. For example, consider a scenario where you have identified the following API endpoint for updating user information:
PUT /api/user/update
To identify hidden endpoints, you could use Burp Intruder to fuzz for other resources with the same structure. For example, you could fuzz the /update
position of the path with a list of other common functions, such as delete
and add
.
When fuzzing, use wordlists based on common API naming conventions and industry terms. Make sure you also include terms that are relevant to the application, based on your initial recon.