Setting up the environment
General index of the course
- Setting up the environment
- Api Reconnaissance.
- Endpoint Analysis.
- Scanning APIS.
- API Authorization Attacks.
- Exploiting API Authorization.
- Testing for Improper Assets Management.
- Mass Assignment.
- Server side Request Forgery.
- Injection Attacks.
- Evasion and Combining techniques.
- Setting up the labs + Writeups
For this course, I'll use a Kali machine installed on VirtualBox. I downloaded last .ova version, 2022-3.
After that, follow these steps:
1. Install a kali ova on VirtualBox
For this course I've downloaded a Kali .ova machine. I will be using VirtualBox and I will modify these elements in the ova installation:
- 4GB RAM
- Bridge mode Interface
2. Update our system
Also, update credentials:
sudo passwd kali (enter in a new more complex password)
sudo useradd -m hapihacker
sudo usermod -a -G sudo hapihacker
sudo chsh -s /bin/zsh hapihacker
3. Install Burp Suite and make sure that is up-to-date.
4. Adding extension Authorize extension to BurpSuite: this will require to have Jython installed.
- Download jython from: https://www.jython.org/download.html and add the .jar file to the Extender Options.
- Under the Extender BApp Store search for Autorize and install the extension.
5. Install Foxy-proxy in Firefox to proxy the traffic to BurpSuite and Postman. Once intalled, we'll set up manually two proxies
- Postman - 127.0.0.1 - 5555
- BurpSuite - 127.0.0.1 - 8080.
Download BurpSuite certificate and have it installed in Firefox.
6. MITMweb certificate setup
- Install mitmweb from the terminal:
We need to make sure that Burpsuite is stopped, since mitmweb is also going to use port 8080.
-
Activate FoxyProxy in Firefox to send traffic to the BurpSuite proxy (8080).
-
Download mitmproxy-ca-cert.pem from mitm.it (in Firefox) and have it installed in Firefox.
7. Install Postman
sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz && sudo tar -xvzf postman-linux-x64.tar.gz -C /opt && sudo ln -s /opt/Postman/Postman /usr/bin/postman
8. Install mitmproxy2swagger
9. Install git
10. Install docker
11. Install Go
12. Install JSON Web Token Toolkit v2
cd /opt
sudo git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool
python3 -m pip install termcolor cprint pycryptodomex requests
# Optional: Make an alias for jwt_tool.py**
sudo chmod +x jwt_tool.py
sudo ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool
13. Install Kiterunner
sudo git clone https://github.com/assetnote/kiterunner.git
cd kiterunner
sudo make build
sudo ln -s /opt/kiterunner/dist/kr /usr/bin/kr
14. Install Arjun
15. Install OWASP ZAP
Run ZAP and open the "Manage Add-ons" option and make sure that the add-on "OpenAPI Support" is marked to be updated.
16. Have these useful wordlist API oriented
# SecLists https://github.com/danielmiessler/SecLists
sudo wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
&& sudo unzip SecList.zip \
&& sudo rm -f SecList.zip
# Hacking-APIs https://github.com/hAPI-hacker/Hacking-APIs
sudo wget -c https://github.com/hAPI-hacker/Hacking-APIs/archive/refs/heads/main.zip -O HackingAPIs.zip \
&& sudo unzip HackingAPIs.zip \
&& sudo rm -f HackingAPIs.zip