Enumeration

General Info

The information below is mostly based on this video.

Discover and increase the attack surface, i.e., find new endpoints and/or parameters. The end goal is to create a legit API endpoint list.

Automated
Manual

Brute-forcing tools

Public documentation

Suitable wordlists

Application poking

Burp Intruder/ffuf (brute-force), arjun (parameter mining)

  1. Assess the API structure before using automated tools.

    1. Explore the app manually.

    2. Which one is the resource name and what changes?

    3. What endpoints exist for that resource and what do they do?

  2. Use/Create a wordlist customized to the target.

Endpoint Enumeration

The examples below are based on the Generic University application. The wordlist used is objects-lowercase.txt.

Using an API-specific, but still generic, wordlist sometimes does not work (Figure 1).

Figure 1: Brute-forcing API endpoints with Intruder using a generic API wordlist.

In this case, it might be better to create a small customized wordlist (Figure 2).

Figure 2: Brute-forcing API endpoints with Intruder using a customised wordlist.

Since we now know that /api/grades/6 and /api/classes/6 exist, we can proceed to brute force the 6 value to see what else is there. We can also use ffuf to brute force those endpoints and also proxy them to Burp so they can be added to Target and "bypass" the throttling of Intruder's community edition.

Kiterunner, an API-specific tool, can also be used to enumerate endpoints.

Parameter Enumeration

LogoGitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub
Figure 3: Passing the parameter found with arjun.
Figure 4: Enumerating more parameters.
Figure 5: Successfully creating a new user.

We can also use the Param Miner extension to discover new parameters (Figure 6).

Figure 6: Discovering request parameters with Burp's Param Miner extension.

PreviousCollection CreationNextTests

Last updated

Was this helpful?