Nebula Blogs

Passive Reconnaissance Techniques - API Pentesting

Photo by Nathana Rebouças on Unsplash

Passive Reconnaissance Techniques - API Pentesting

Nebula's photo
Nebula
·

2 min read

I've been studying API penetration testing at APISec University, as I mentioned in the previous post.

I would be summarizing the information I've learned in the course and some of my general research on this topic.

Passive reconnaissance

  1. Google Dorking: Use google's advanced search filters and operators to identify APIs

    Some useful commands:

    inurl: Discover websites with a specific word in the URL.

    intitle: Search for pages with a particular term in the title.

    intext: Look for pages with a specific term (or words) present somewhere in the text.

    filetype: finds a certain filetype that is mentioned in the search.

    Example of a google dork to find potential API keys

    The comprehensive list of Google Dork commands is found here: https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06

  2. GitHub Dorking

    GitHub can be a useful source for learning about the target API's features, documentation, and hidden information, including API keys, passwords, and tokens.

    Sample search includes:

    filename:swagger.json

    extension: .json

    "Exposed API keys" in Issues

  3. Shodan

    Shodan can be used to identify external-facing APIs and obtain information about your target's open ports if you only have an IP address or the name of the organization to work with. However, the free version is limited to a few search pages.

    Shodan's search query examples: https://www.shodan.io/search/examples

  4. TruffleHog

    As per kali.org, This (TruffleHog) package contains a utility to search through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

    GitHub source: https://github.com/trufflesecurity/trufflehog

    #sudo docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org="target name"

    or install and run it locally

    #trufflehog $git_url

    Other tools worth exploring:

    programmableweb.com

    As of October 2022, this website has been retired, but it may still include data from older APIs.

    The Wayback Machine

    The Internet Archive, a nonprofit organization based in San Francisco, California, established The Wayback Machine as a digital archive of the World Wide Web.

    It can be used to look for archived data of the target API for possible information disclosure.

api securitypentestingOSINTinfosec#cybersecurity