RedTeam
Others
API
Tools
Postman

Importing API Steps

  1. Find an API: Use the browser's Inspector Mode to locate JSON data.
  2. Copy the request: Extract the request using the cURL command.
  3. Create a new collection: Open Postman and create a new collection to organize your requests.
  4. Import the request in Postman: Use the Import button in Postman to add the copied request.

Capturing Requests

Steps:

  1. Select Website: Identify the target website you want to analyze.
  2. Select Port: Determine the appropriate port for the website (usually port 80 for HTTP and port 443 for HTTPS).
  3. Visit the Targeted Website: Open the port in your browser and navigate to the website.
  4. Make Various Requests: Interact with different parts of the website (e.g., visit various pages, manage your account, change your email and password).
  5. Collect Data: After gathering the necessary data, identify all the URLs that contain API calls and add them to your collection.
  6. Organize Requests: Group related requests into folders for better organization within Postman.

SWAGGER FILE Generation with MITMproxy (MITMweb)

Pre-steps:

  • Launch mitmweb: Start the MITMproxy tool and intercept traffic.

Steps:

  1. Visit the Targeted Website: Use the designated port in your browser to access the site.
  2. Make Various Requests: Interact extensively with the site to collect traffic data.
  3. Save Collected Data: Return to mitmweb and save the intercepted traffic data.

Converting the File to Swagger:

sudo mitmproxy2swagger -i ~/Download/FILE-SAVED -o output-file.yml -p WEBSITE -f flow --examples
  1. Edit the Output File: Open the output file using a text editor (e.g., nano) and customize it. Remove the ignore: lines for any elements related to the API.
  2. Change the Title: Modify the title if necessary and save the file.
  3. Run the Command Again: Convert the file again to ensure your changes are applied.
sudo mitmproxy2swagger -i ~/Download/FILE-SAVED -o output-file.yml -p WEBSITE -f flow --examples
  1. Load the Swagger File: Go to Swagger Editor (opens in a new tab) to check if you have access to more information than the API intended to expose. You can also create cURL links to test the API.
  2. Import the .YML into Postman: Once you’ve finalized your Swagger file, import it into Postman.

Authentication (To Review)

  • Bearer Token: Ensure you understand how to use Bearer tokens for authentication purposes.

Collections / Environments / Categories and Variables (To Review)

  • Find and Replace: Learn how to manage variables within Postman.
  • Variables: Understand how to create and use variables for dynamic requests.
  • Collections: Organize your API requests into collections for easy access.
  • Environments: Set up environments to manage different sets of variables.
  • Categories: Use categories to further organize your requests.

Exploitation

  • API Authentication Attacks: Understand common attack vectors for API authentication.
  • Exploiting API Authorization: Learn about potential weaknesses in API authorization mechanisms.
  • Improper Asset Management: Identify and exploit vulnerabilities due to poor asset management.

Proxy to Burp Suite

  • Utilize Burp Suite to analyze and manipulate API requests for testing purposes.
Porch PirateSwaggerjacker Enum