Enumeration

General Info

The information below is mostly based on this video.

Discover and increase the attack surface, i.e., find new endpoints and/or parameters. The end goal is to create a legit API endpoint list.

Automated

Manual

Brute-forcing tools

Public documentation

Suitable wordlists

Application poking

Burp Intruder/ffuf (brute-force), arjun (parameter mining)

Assess the API structure before using automated tools.
1. Explore the app manually.
2. Which one is the resource name and what changes?
3. What endpoints exist for that resource and what do they do?
Use/Create a wordlist customized to the target.
- seclists/Discovery/Web-Content/api/ (api-specific)
- common-methods.txt (api-specific)
- seclists/Discovery/Web-Content/raft-small-words.txt

Endpoint Enumeration

The examples below are based on the Generic University application. The wordlist used is objects-lowercase.txt.

Using an API-specific, but still generic, wordlist sometimes does not work (Figure 1).

In this case, it might be better to create a small customized wordlist (Figure 2).

$ cat generic_uni_endpoints.txt
grades
grade
classes
courses
course
teachers
professors
university
universities
teacher
professor
class
payments
fees
fee
payment
alumni
students
student

Since we now know that /api/grades/6 and /api/classes/6 exist, we can proceed to brute force the 6 value to see what else is there. We can also use ffuf to brute force those endpoints and also proxy them to Burp so they can be added to Target and "bypass" the throttling of Intruder's community edition.

$ ffuf -u http://localhost/api/FUZZ/6 -w generic_uni_endpoints.txt -c -ac -x http://127.0.0.1:8081

Kiterunner, an API-specific tool, can also be used to enumerate endpoints.

Parameter Enumeration

GitHub - s0md3v/Arjun: HTTP parameter discovery suite.GitHub

$ arjun -u http://localhost/api/users -m POST -o users_results.txt
<SNIP>
[*] Logicforcing the URL endpoint
[✓] parameter detected: _method, based on: http code
[+] Parameters found: _method