Enumeration
General Info
The information below is mostly based on this video.
Discover and increase the attack surface, i.e., find new endpoints and/or parameters. The end goal is to create a legit API endpoint list.
Brute-forcing tools
Public documentation
Suitable wordlists
Application poking
Burp Intruder/ffuf (brute-force), arjun (parameter mining)
Assess the API structure before using automated tools.
Explore the app manually.
Which one is the resource name and what changes?
What endpoints exist for that resource and what do they do?
Use/Create a wordlist customized to the target.
seclists/Discovery/Web-Content/api/(api-specific)common-methods.txt(api-specific)
Endpoint Enumeration
The examples below are based on the Generic University application. The wordlist used is objects-lowercase.txt.
Using an API-specific, but still generic, wordlist sometimes does not work (Figure 1).
In this case, it might be better to create a small customized wordlist (Figure 2).
$ cat generic_uni_endpoints.txt
grades
grade
classes
courses
course
teachers
professors
university
universities
teacher
professor
class
payments
fees
fee
payment
alumni
students
student
Since we now know that /api/grades/6 and /api/classes/6 exist, we can proceed to brute force the 6 value to see what else is there. We can also use ffuf to brute force those endpoints and also proxy them to Burp so they can be added to Target and "bypass" the throttling of Intruder's community edition.
$ ffuf -u http://localhost/api/FUZZ/6 -w generic_uni_endpoints.txt -c -ac -x http://127.0.0.1:8081Kiterunner, an API-specific tool, can also be used to enumerate endpoints.
Parameter Enumeration
$ arjun -u http://localhost/api/users -m POST -o users_results.txt
<SNIP>
[*] Logicforcing the URL endpoint
[✓] parameter detected: _method, based on: http code
[+] Parameters found: _method
arjun.
We can also use the Param Miner extension to discover new parameters (Figure 6).
Last updated
Was this helpful?