An API pentesting workflow and cheatsheet mindmap
This is a mindmap using the xmind app for a visual walkthrough and checklist for REST API testing. Xmind is a free app with paid addons but it is completely usable in the free form. You can get your copy here. https://xmind.app/
This mindmap is a work in progress as I go through the books, research and encounter API's in pentests. I'll update with more content and revisions as I further my understanding.
To get the most out of this mindmap it's recommended you download the mindmap file. Then you can
- copy n paste queries and cmds included
- goto links for tools
- add your own content
- edit the mindmap visually to your personal satisfaction
- rearrange the order of the flow
- Starting with Tools and wordlists to get started.
- Passive recon to discover APIs
- Google, git and shodan dorks.
- Wayback machine and other passive sites.
- Active recon
- Using tools and wordlists to discover APIs on a target
- Copy n paste command line commands for tools.
- Scanning and enumerating found APIs.
- Copy n paste command line commands for tools.
- Building your own documentation (when none is available)
- Using postman or Man in the Middle Web to build documentation.
- Unauthenticated API testing
- Authenticated API testing
- Several classes of testing vulnerabilities with example payloads, tools and more.
- API token testing.
Hopefully this will help you develop a workflow for testing GraphQL for vulnerabilities. API's can be overwhelming when there are a lot of endpoints and all the pieces are connected in various ways. This should help you
- stay focused
- work through a checklist
- keep things visually understandable
- check things are not missed or overlooked.
Additional great API resources.
- https://www.apisecuniversity.com
- https://nostarch.com/hacking-apis
- https://www.packtpub.com/en-us/product/api-security-for-white-hat-hackers-9781800569355
So happy hacking!