@soulofzephir/pi-skill-pentesting 1.0.1 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/pentesting/SKILL.md +124 -93
- package/skills/pentesting/checklists/api-security.md +210 -0
- package/skills/pentesting/checklists/cloud-metadata.md +290 -0
- package/skills/pentesting/checklists/sensitive-data.md +323 -0
- package/skills/pentesting/checklists/subdomain.md +243 -0
- package/skills/pentesting/checklists/websocket.md +197 -0
- package/skills/pentesting/tools/test-skill.ps1 +291 -0
- package/skills/pentesting/tools/test-skill.sh +345 -0
- package/soulofzephir-pi-skill-pentesting-1.0.2.tgz +0 -0
package/package.json
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: pentesting
|
|
3
|
-
description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers
|
|
3
|
+
description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers, port scanning, SQL injection, XSS, OWASP Top 10, SSL/TLS, exposed files, CORS, JWT, GraphQL, API security, subdomain discovery, WebSocket, cloud metadata, and sensitive data detection. Use for pentest, security check, vulnerability scan, header security, port scan, SQL injection, XSS, exposed files, CORS, JWT, GraphQL, API security, subdomain, WebSocket, cloud, sensitive data, or bug bounty testing. Generates reports to site/domainname-date.md format.
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
# 🛡️ Pentesting & Security Check Skill
|
|
7
7
|
|
|
8
|
-
> **AUTHOR:** Rz (@soulofzephir) | **VERSION:**
|
|
8
|
+
> **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 4.0 | **LAST UPDATED:** 2025-07-05
|
|
9
9
|
|
|
10
10
|
---
|
|
11
11
|
|
|
12
|
-
## 📋 CAPABILITIES OVERVIEW (
|
|
12
|
+
## 📋 CAPABILITIES OVERVIEW (v4.0)
|
|
13
13
|
|
|
14
14
|
| Category | Coverage | Status |
|
|
15
15
|
|----------|----------|--------|
|
|
@@ -21,10 +21,15 @@ description: Comprehensive website security testing skill for penetration testin
|
|
|
21
21
|
| **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
|
|
22
22
|
| **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
|
|
23
23
|
| **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
|
|
24
|
-
| **Exposed Files** | .env, .git, backups, debug | ✅
|
|
25
|
-
| **CORS Security** | Misconfiguration tests | ✅
|
|
26
|
-
| **JWT Security** | Algorithm attacks, brute force | ✅
|
|
27
|
-
| **GraphQL Security** | Introspection, DoS, injection | ✅
|
|
24
|
+
| **Exposed Files** | .env, .git, backups, debug | ✅ Script |
|
|
25
|
+
| **CORS Security** | Misconfiguration tests | ✅ Checklist |
|
|
26
|
+
| **JWT Security** | Algorithm attacks, brute force | ✅ Checklist |
|
|
27
|
+
| **GraphQL Security** | Introspection, DoS, injection | ✅ Checklist |
|
|
28
|
+
| **API Security** | REST API testing, IDOR, rate limit | ✅ **NEW** |
|
|
29
|
+
| **Subdomain Discovery** | Passive/Active enumeration | ✅ **NEW** |
|
|
30
|
+
| **WebSocket Security** | CSWSH, hijacking, DoS | ✅ **NEW** |
|
|
31
|
+
| **Cloud Metadata** | SSRF to AWS/GCP/Azure | ✅ **NEW** |
|
|
32
|
+
| **Sensitive Data** | Credentials, PII exposure | ✅ **NEW** |
|
|
28
33
|
| **Report Generation** | .md format | ✅ Auto |
|
|
29
34
|
|
|
30
35
|
---
|
|
@@ -42,11 +47,18 @@ This skill auto-loads when user mentions:
|
|
|
42
47
|
- OWASP, OWASP Top 10
|
|
43
48
|
- exposed files, .env, .git exposed
|
|
44
49
|
- CORS, JWT, GraphQL security
|
|
50
|
+
- API security, REST API, REST security
|
|
51
|
+
- subdomain discovery, subdomain enumeration
|
|
52
|
+
- WebSocket security, WS security
|
|
53
|
+
- cloud metadata, SSRF, AWS metadata
|
|
54
|
+
- sensitive data, credentials exposure, PII
|
|
45
55
|
- "test keamanan", "cek security", "audit keamanan"
|
|
56
|
+
- "test skill", "check skill", "validate skill"
|
|
57
|
+
- "skill health", "skill status", "skill diagnostics"
|
|
46
58
|
|
|
47
59
|
---
|
|
48
60
|
|
|
49
|
-
## ⚡ COMPLETE TEST CHECKLIST (
|
|
61
|
+
## ⚡ COMPLETE TEST CHECKLIST (16 Phases)
|
|
50
62
|
|
|
51
63
|
### Phase 1: Reconnaissance
|
|
52
64
|
```
|
|
@@ -69,7 +81,7 @@ This skill auto-loads when user mentions:
|
|
|
69
81
|
[ ] X-Powered-By (hide tech)
|
|
70
82
|
```
|
|
71
83
|
|
|
72
|
-
### Phase 3: Exposed Files & Information Disclosure 🔴
|
|
84
|
+
### Phase 3: Exposed Files & Information Disclosure 🔴
|
|
73
85
|
```
|
|
74
86
|
[ ] .env file accessible?
|
|
75
87
|
[ ] .git directory exposed?
|
|
@@ -79,33 +91,33 @@ This skill auto-loads when user mentions:
|
|
|
79
91
|
[ ] Spring Boot Actuator endpoints
|
|
80
92
|
[ ] API documentation exposed
|
|
81
93
|
[ ] Log files accessible
|
|
82
|
-
[ ] robots.txt (reveals paths)
|
|
83
|
-
[ ] Security.txt endpoint
|
|
84
94
|
```
|
|
85
95
|
|
|
86
|
-
### Phase 4:
|
|
96
|
+
### Phase 4: Subdomain Discovery 🔴 **NEW**
|
|
97
|
+
```
|
|
98
|
+
[ ] Passive recon (crt.sh, certspotter)
|
|
99
|
+
[ ] DNS aggregators (SecurityTrails, VirusTotal)
|
|
100
|
+
[ ] Active enumeration (subfinder, amass)
|
|
101
|
+
[ ] DNS zone transfer
|
|
102
|
+
[ ] Subdomain takeover detection
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### Phase 5: Port & Network Scanning
|
|
87
106
|
```
|
|
88
107
|
[ ] Full port scan (1-65535)
|
|
89
108
|
[ ] Service version detection
|
|
90
|
-
[ ] High-risk port exposure
|
|
91
|
-
[ ] Port 3306 (MySQL)
|
|
92
|
-
[ ] Port 5432 (PostgreSQL)
|
|
93
|
-
[ ] Port 27017 (MongoDB)
|
|
94
|
-
[ ] Port 6379 (Redis)
|
|
95
|
-
[ ] Port 2375 (Docker)
|
|
96
|
-
[ ] Port 9200 (Elasticsearch)
|
|
109
|
+
[ ] High-risk port exposure (3306, 5432, 6379, 2375)
|
|
97
110
|
```
|
|
98
111
|
|
|
99
|
-
### Phase
|
|
112
|
+
### Phase 6: SSL/TLS Audit
|
|
100
113
|
```
|
|
101
114
|
[ ] Certificate validity
|
|
102
115
|
[ ] TLS version (no 1.0/1.1)
|
|
103
116
|
[ ] Weak ciphers
|
|
104
117
|
[ ] HSTS implementation
|
|
105
|
-
[ ] OCSP stapling
|
|
106
118
|
```
|
|
107
119
|
|
|
108
|
-
### Phase
|
|
120
|
+
### Phase 7: Authentication Testing
|
|
109
121
|
```
|
|
110
122
|
[ ] Brute force protection
|
|
111
123
|
[ ] Password policy
|
|
@@ -114,7 +126,43 @@ This skill auto-loads when user mentions:
|
|
|
114
126
|
[ ] Password reset flow
|
|
115
127
|
```
|
|
116
128
|
|
|
117
|
-
### Phase
|
|
129
|
+
### Phase 8: API Security 🔴 **NEW**
|
|
130
|
+
```
|
|
131
|
+
[ ] REST API authentication
|
|
132
|
+
[ ] IDOR (access other users' data)
|
|
133
|
+
[ ] Rate limiting bypass
|
|
134
|
+
[ ] Mass assignment
|
|
135
|
+
[ ] API versioning issues
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
### Phase 9: WebSocket Security 🔴 **NEW**
|
|
139
|
+
```
|
|
140
|
+
[ ] Origin validation
|
|
141
|
+
[ ] Cross-Site WebSocket Hijacking (CSWSH)
|
|
142
|
+
[ ] Authentication in WebSocket
|
|
143
|
+
[ ] Input validation in messages
|
|
144
|
+
[ ] DoS via WebSocket
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### Phase 10: Cloud Metadata (SSRF) 🔴 **NEW**
|
|
148
|
+
```
|
|
149
|
+
[ ] AWS EC2 metadata accessible?
|
|
150
|
+
[ ] GCP metadata accessible?
|
|
151
|
+
[ ] Azure metadata accessible?
|
|
152
|
+
[ ] IAM credentials exposed
|
|
153
|
+
[ ] SSRF to cloud takeover
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
### Phase 11: Sensitive Data Detection 🔴 **NEW**
|
|
157
|
+
```
|
|
158
|
+
[ ] API keys in source code
|
|
159
|
+
[ ] AWS credentials exposed
|
|
160
|
+
[ ] Private keys exposed
|
|
161
|
+
[ ] PII in responses
|
|
162
|
+
[ ] Credentials in URLs
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
### Phase 12: Injection Testing
|
|
118
166
|
```
|
|
119
167
|
[ ] SQL Injection (5 types)
|
|
120
168
|
[ ] XSS (4 types)
|
|
@@ -125,36 +173,33 @@ This skill auto-loads when user mentions:
|
|
|
125
173
|
[ ] SSRF
|
|
126
174
|
```
|
|
127
175
|
|
|
128
|
-
### Phase
|
|
176
|
+
### Phase 13: CORS Security
|
|
129
177
|
```
|
|
130
178
|
[ ] Wildcard origin check
|
|
131
179
|
[ ] Credentials with wildcard
|
|
132
180
|
[ ] Null origin allowed?
|
|
133
181
|
[ ] Internal IPs allowed?
|
|
134
|
-
[ ] Sensitive endpoints CORS
|
|
135
182
|
```
|
|
136
183
|
|
|
137
|
-
### Phase
|
|
184
|
+
### Phase 14: JWT Security
|
|
138
185
|
```
|
|
139
186
|
[ ] Algorithm confusion (RS256→HS256)
|
|
140
187
|
[ ] alg:none bypass
|
|
141
188
|
[ ] Weak secret brute force
|
|
142
189
|
[ ] Null signature accepted
|
|
143
|
-
[ ] Token manipulation
|
|
144
|
-
[ ] JWKS cache poisoning
|
|
190
|
+
[ ] Token manipulation
|
|
145
191
|
```
|
|
146
192
|
|
|
147
|
-
### Phase
|
|
193
|
+
### Phase 15: GraphQL Security
|
|
148
194
|
```
|
|
149
195
|
[ ] Introspection enabled?
|
|
150
|
-
[ ] GraphQL IDE exposed
|
|
151
196
|
[ ] Authorization bypass (IDOR)
|
|
152
197
|
[ ] Batch query attack
|
|
153
198
|
[ ] Depth-based DoS
|
|
154
199
|
[ ] SQL/NoSQL Injection
|
|
155
200
|
```
|
|
156
201
|
|
|
157
|
-
### Phase
|
|
202
|
+
### Phase 16: OWASP Top 10 (A01-A10)
|
|
158
203
|
```
|
|
159
204
|
[ ] A01 - Broken Access Control
|
|
160
205
|
[ ] A02 - Cryptographic Failures
|
|
@@ -168,38 +213,36 @@ This skill auto-loads when user mentions:
|
|
|
168
213
|
[ ] A10 - SSRF
|
|
169
214
|
```
|
|
170
215
|
|
|
171
|
-
### Phase 12: Business Logic & API
|
|
172
|
-
```
|
|
173
|
-
[ ] IDOR
|
|
174
|
-
[ ] Privilege escalation
|
|
175
|
-
[ ] Price manipulation
|
|
176
|
-
[ ] API security (REST/GraphQL)
|
|
177
|
-
[ ] Rate limiting
|
|
178
|
-
```
|
|
179
|
-
|
|
180
216
|
---
|
|
181
217
|
|
|
182
218
|
## 🔧 TOOLS LOCATION
|
|
183
219
|
|
|
184
220
|
```
|
|
185
221
|
skills/pentesting/
|
|
186
|
-
├── SKILL.md
|
|
222
|
+
├── SKILL.md
|
|
187
223
|
├── checklists/
|
|
188
|
-
│ ├── headers.md #
|
|
224
|
+
│ ├── headers.md # Security headers
|
|
189
225
|
│ ├── owasp.md # OWASP Top 10
|
|
190
226
|
│ ├── ports.md # Port scanning
|
|
191
|
-
│ ├── injection.md
|
|
192
|
-
│ ├── exposed-files.md #
|
|
193
|
-
│ ├── cors.md #
|
|
194
|
-
│ ├── jwt.md #
|
|
195
|
-
│
|
|
227
|
+
│ ├── injection.md # All injection types
|
|
228
|
+
│ ├── exposed-files.md # Exposed files detection
|
|
229
|
+
│ ├── cors.md # CORS security
|
|
230
|
+
│ ├── jwt.md # JWT security
|
|
231
|
+
│ ├── graphql.md # GraphQL security
|
|
232
|
+
│ ├── api-security.md # 🔴 NEW - API security
|
|
233
|
+
│ ├── subdomain.md # 🔴 NEW - Subdomain discovery
|
|
234
|
+
│ ├── websocket.md # 🔴 NEW - WebSocket security
|
|
235
|
+
│ ├── cloud-metadata.md # 🔴 NEW - Cloud metadata/SSRF
|
|
236
|
+
│ └── sensitive-data.md # 🔴 NEW - Sensitive data detection
|
|
196
237
|
├── tools/
|
|
197
238
|
│ ├── header-scan.sh # Linux/Mac headers
|
|
198
239
|
│ ├── header-scan.ps1 # Windows headers
|
|
199
|
-
│ ├── exposed-files-scan.sh #
|
|
200
|
-
│ ├── exposed-files-scan.ps1 #
|
|
201
|
-
│ ├── full-scan.sh
|
|
202
|
-
│
|
|
240
|
+
│ ├── exposed-files-scan.sh # Exposed files (Linux)
|
|
241
|
+
│ ├── exposed-files-scan.ps1 # Exposed files (Windows)
|
|
242
|
+
│ ├── full-scan.sh # All-in-one (Linux)
|
|
243
|
+
│ ├── full-scan.ps1 # All-in-one (Windows)
|
|
244
|
+
│ ├── test-skill.sh # Skill health check (Linux)
|
|
245
|
+
│ └── test-skill.ps1 # Skill health check (Windows)
|
|
203
246
|
└── reports/
|
|
204
247
|
└── template.md # Report template
|
|
205
248
|
```
|
|
@@ -210,53 +253,26 @@ skills/pentesting/
|
|
|
210
253
|
|
|
211
254
|
### Security Headers
|
|
212
255
|
```bash
|
|
213
|
-
# Linux/Mac
|
|
214
|
-
chmod +x tools/header-scan.sh
|
|
215
|
-
./tools/header-scan.sh https://target.com
|
|
216
|
-
|
|
217
|
-
# Windows PowerShell
|
|
218
256
|
.\tools\header-scan.ps1 -Target https://target.com
|
|
257
|
+
./tools/header-scan.sh https://target.com
|
|
219
258
|
```
|
|
220
259
|
|
|
221
|
-
### Exposed Files Scan
|
|
260
|
+
### Exposed Files Scan
|
|
222
261
|
```bash
|
|
223
|
-
# Linux/Mac
|
|
224
|
-
chmod +x tools/exposed-files-scan.sh
|
|
225
|
-
./tools/exposed-files-scan.sh https://target.com
|
|
226
|
-
|
|
227
|
-
# Windows PowerShell
|
|
228
262
|
.\tools\exposed-files-scan.ps1 -Target https://target.com
|
|
263
|
+
./tools/exposed-files-scan.sh https://target.com
|
|
229
264
|
```
|
|
230
265
|
|
|
231
|
-
### Full Security Scan (All-in-One)
|
|
266
|
+
### Full Security Scan (All-in-One)
|
|
232
267
|
```bash
|
|
233
|
-
# Linux/Mac
|
|
234
|
-
chmod +x tools/full-scan.sh
|
|
235
|
-
./tools/full-scan.sh https://target.com
|
|
236
|
-
|
|
237
|
-
# Windows PowerShell
|
|
238
268
|
.\tools\full-scan.ps1 -Target https://target.com
|
|
269
|
+
./tools/full-scan.sh https://target.com
|
|
239
270
|
```
|
|
240
271
|
|
|
241
|
-
###
|
|
242
|
-
```bash
|
|
243
|
-
nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
|
|
244
|
-
nmap -p- -sV target.com
|
|
245
|
-
```
|
|
246
|
-
|
|
247
|
-
### Vulnerability Scanning
|
|
272
|
+
### Skill Health Check
|
|
248
273
|
```bash
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
# SQLMap
|
|
253
|
-
sqlmap -u "https://target.com/search?q=1" --batch
|
|
254
|
-
|
|
255
|
-
# Dalfox XSS
|
|
256
|
-
dalfox url https://target.com/search?q=test
|
|
257
|
-
|
|
258
|
-
# Commix
|
|
259
|
-
commix -u "http://target.com/ping?ip=127.0.0.1"
|
|
274
|
+
.\tools\test-skill.ps1
|
|
275
|
+
./tools/test-skill.sh
|
|
260
276
|
```
|
|
261
277
|
|
|
262
278
|
---
|
|
@@ -308,6 +324,12 @@ F (0-29): Critical
|
|
|
308
324
|
- "test CORS" → Load CORS checklist
|
|
309
325
|
- "test JWT" → Load JWT checklist
|
|
310
326
|
- "test GraphQL" → Load GraphQL checklist
|
|
327
|
+
- "test API security" → Load API security checklist 🔴 **NEW**
|
|
328
|
+
- "test subdomain" → Load subdomain discovery 🔴 **NEW**
|
|
329
|
+
- "test WebSocket" → Load WebSocket security 🔴 **NEW**
|
|
330
|
+
- "test cloud metadata" → Load cloud metadata checklist 🔴 **NEW**
|
|
331
|
+
- "test sensitive data" → Load sensitive data checklist 🔴 **NEW**
|
|
332
|
+
- "test skill" / "check skill" → Run skill health check
|
|
311
333
|
|
|
312
334
|
---
|
|
313
335
|
|
|
@@ -323,14 +345,20 @@ User: "security audit untuk target.com"
|
|
|
323
345
|
User: "check exposed files di website ini"
|
|
324
346
|
→ Run exposed files scan → site/target.com-exposed-2025-07-05.md
|
|
325
347
|
|
|
326
|
-
User: "test
|
|
327
|
-
→ Run
|
|
348
|
+
User: "test API security"
|
|
349
|
+
→ Run API security tests → checklists/api-security.md
|
|
350
|
+
|
|
351
|
+
User: "subdomain enumeration untuk target.com"
|
|
352
|
+
→ Run subdomain discovery → checklists/subdomain.md
|
|
353
|
+
|
|
354
|
+
User: "test SSRF"
|
|
355
|
+
→ Load cloud metadata/SSRF checklist
|
|
328
356
|
|
|
329
|
-
User: "
|
|
330
|
-
→
|
|
357
|
+
User: "check sensitive data exposure"
|
|
358
|
+
→ Load sensitive data detection checklist
|
|
331
359
|
|
|
332
|
-
User: "
|
|
333
|
-
→ Run
|
|
360
|
+
User: "test skill"
|
|
361
|
+
→ Run skill health check
|
|
334
362
|
```
|
|
335
363
|
|
|
336
364
|
---
|
|
@@ -338,6 +366,9 @@ User: "GraphQL security check"
|
|
|
338
366
|
## ✅ SKILL READY
|
|
339
367
|
|
|
340
368
|
**Status:** ACTIVE & READY FOR USE
|
|
341
|
-
**Version:**
|
|
369
|
+
**Version:** 4.0
|
|
342
370
|
**Author:** Rz (@soulofzephir)
|
|
343
371
|
**Last Updated:** 2025-07-05
|
|
372
|
+
**Checklists:** 13
|
|
373
|
+
**Tools:** 8
|
|
374
|
+
**Health Score:** 95%+
|
|
@@ -0,0 +1,210 @@
|
|
|
1
|
+
# API Security Checklist
|
|
2
|
+
|
|
3
|
+
## 🔍 What is API Security?
|
|
4
|
+
|
|
5
|
+
APIs expose application logic and sensitive data. Testing requires understanding authentication, authorization, and input validation.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## ⚠️ Common API Vulnerabilities
|
|
10
|
+
|
|
11
|
+
### 1. Broken Object Level Authorization (BOLA/IDOR)
|
|
12
|
+
```
|
|
13
|
+
Risk: Users access other users' resources
|
|
14
|
+
Test: Change ID in request parameter
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
### 2. Broken Authentication
|
|
18
|
+
```
|
|
19
|
+
Risk: Session management flaws
|
|
20
|
+
Test: Token manipulation, JWT attacks
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
### 3. Excessive Data Exposure
|
|
24
|
+
```
|
|
25
|
+
Risk: API returns more data than needed
|
|
26
|
+
Test: Analyze all response fields
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### 4. Lack of Resources & Rate Limiting
|
|
30
|
+
```
|
|
31
|
+
Risk: DoS, brute force
|
|
32
|
+
Test: Send many requests, measure throttling
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### 5. Mass Assignment
|
|
36
|
+
```
|
|
37
|
+
Risk: Modify protected fields
|
|
38
|
+
Test: Add unexpected fields to request
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## 🧪 Testing Checklist
|
|
44
|
+
|
|
45
|
+
### Phase 1: Discovery
|
|
46
|
+
- [ ] API endpoints identified
|
|
47
|
+
- [ ] HTTP methods discovered (GET, POST, PUT, DELETE, PATCH)
|
|
48
|
+
- [ ] Authentication method identified (Bearer, API Key, OAuth, JWT)
|
|
49
|
+
- [ ] Content-Type identified (JSON, XML, form-data)
|
|
50
|
+
- [ ] Versioning detected (v1, v2, /api/)
|
|
51
|
+
|
|
52
|
+
### Phase 2: Authentication Testing
|
|
53
|
+
- [ ] API key exposure in URL (should be in header)
|
|
54
|
+
- [ ] Bearer token manipulation
|
|
55
|
+
- [ ] JWT attacks (alg confusion, none, weak secret)
|
|
56
|
+
- [ ] Session fixation
|
|
57
|
+
- [ ] Token expiration bypass
|
|
58
|
+
- [ ] Password reset via API
|
|
59
|
+
- [ ] MFA bypass attempts
|
|
60
|
+
|
|
61
|
+
### Phase 3: Authorization Testing
|
|
62
|
+
- [ ] Horizontal privilege escalation (access other users)
|
|
63
|
+
- [ ] Vertical privilege escalation (admin access)
|
|
64
|
+
- [ ] IDOR in resource endpoints
|
|
65
|
+
- [ ] Parameter manipulation
|
|
66
|
+
- [ ] Path traversal in URLs
|
|
67
|
+
|
|
68
|
+
### Phase 4: Input Validation
|
|
69
|
+
- [ ] SQL Injection
|
|
70
|
+
- [ ] NoSQL Injection (MongoDB operators)
|
|
71
|
+
- [ ] Command Injection
|
|
72
|
+
- [ ] XSS (in JSON responses)
|
|
73
|
+
- [ ] XML Injection (if XML API)
|
|
74
|
+
- [ ] JSON Manipulation
|
|
75
|
+
|
|
76
|
+
### Phase 5: Rate Limiting
|
|
77
|
+
- [ ] Rate limit present?
|
|
78
|
+
- [ ] Bypass via header manipulation (X-Forwarded-For)
|
|
79
|
+
- [ ] Bypass via IP rotation
|
|
80
|
+
- [ ] Bypass via user-agent rotation
|
|
81
|
+
- [ ] Business logic abuse (coupon reuse, price manipulation)
|
|
82
|
+
|
|
83
|
+
### Phase 6: Business Logic
|
|
84
|
+
- [ ] Workflow bypass
|
|
85
|
+
- [ ] Race condition
|
|
86
|
+
- [ ] Mass assignment
|
|
87
|
+
- [ ] Insufficient workflow validation
|
|
88
|
+
- [ ] Time-based logic abuse
|
|
89
|
+
|
|
90
|
+
### Phase 7: Data Exposure
|
|
91
|
+
- [ ] Sensitive data in responses (PII, passwords, tokens)
|
|
92
|
+
- [ ] Stack traces in errors
|
|
93
|
+
- [ ] Debug endpoints exposed
|
|
94
|
+
- [ ] Verbose logging
|
|
95
|
+
- [ ] Default/error messages leak info
|
|
96
|
+
|
|
97
|
+
### Phase 8: Configuration
|
|
98
|
+
- [ ] CORS misconfiguration
|
|
99
|
+
- [ ] HTTP methods enabled (TRACE, OPTIONS)
|
|
100
|
+
- [ ] SSL/TLS issues
|
|
101
|
+
- [ ] Security headers missing
|
|
102
|
+
- [ ] Sensitive fields in Swagger/OpenAPI
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
## 🔧 Common API Payloads
|
|
107
|
+
|
|
108
|
+
### SQL Injection
|
|
109
|
+
```json
|
|
110
|
+
{"id": "1 OR 1=1"}
|
|
111
|
+
{"id": "1' OR '1'='1"}
|
|
112
|
+
{"id": "1; DROP TABLE users--"}
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
### NoSQL Injection
|
|
116
|
+
```json
|
|
117
|
+
{"id": {"$ne": null}}
|
|
118
|
+
{"id": {"$gt": ""}}
|
|
119
|
+
{"username": {"$regex": ".*"}}
|
|
120
|
+
{"password": {"$ne": ""}}
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
### Mass Assignment
|
|
124
|
+
```json
|
|
125
|
+
{"user_id": 123, "role": "admin"}
|
|
126
|
+
{"price": 1, "admin": true}
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
### Bypass Rate Limiting
|
|
130
|
+
```bash
|
|
131
|
+
# Via X-Forwarded-For
|
|
132
|
+
curl -H "X-Forwarded-For: 1.2.3.4" api.target.com
|
|
133
|
+
|
|
134
|
+
# Via X-Real-IP
|
|
135
|
+
curl -H "X-Real-IP: 1.2.3.4" api.target.com
|
|
136
|
+
|
|
137
|
+
# Via X-Originating-IP
|
|
138
|
+
curl -H "X-Originating-IP: 1.2.3.4" api.target.com
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
### IDOR Tests
|
|
142
|
+
```bash
|
|
143
|
+
# Change user ID
|
|
144
|
+
GET /api/users/123/profile
|
|
145
|
+
GET /api/users/124/profile
|
|
146
|
+
|
|
147
|
+
# Change resource ID
|
|
148
|
+
GET /api/orders/1001
|
|
149
|
+
GET /api/orders/1002
|
|
150
|
+
|
|
151
|
+
# Change UUID
|
|
152
|
+
GET /api/documents/abc-123
|
|
153
|
+
GET /api/documents/abc-124
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## 🛠️ Tools
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
# Burp Suite (Recommended)
|
|
162
|
+
# - Intruder for fuzzing
|
|
163
|
+
# - Repeater for testing
|
|
164
|
+
# - Active Scanner
|
|
165
|
+
|
|
166
|
+
# sqlmap for API SQLi
|
|
167
|
+
sqlmap -u "https://api.target.com/users?id=1" --level=5 --risk=3
|
|
168
|
+
|
|
169
|
+
# ffuf for fuzzing
|
|
170
|
+
ffuf -w wordlist.txt -u https://api.target.com/FUZZ
|
|
171
|
+
|
|
172
|
+
# JWT attacks
|
|
173
|
+
python -m jwt_tool <JWT> -T
|
|
174
|
+
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
|
|
175
|
+
|
|
176
|
+
# API enumeration
|
|
177
|
+
nmap --script=http-enum api.target.com
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## 📋 API Security Score
|
|
183
|
+
|
|
184
|
+
| Area | Score | Weight |
|
|
185
|
+
|------|-------|--------|
|
|
186
|
+
| Authentication | /20 | High |
|
|
187
|
+
| Authorization | /20 | Critical |
|
|
188
|
+
| Rate Limiting | /15 | High |
|
|
189
|
+
| Input Validation | /15 | Critical |
|
|
190
|
+
| Data Exposure | /15 | High |
|
|
191
|
+
| Configuration | /15 | Medium |
|
|
192
|
+
|
|
193
|
+
**Total: /100**
|
|
194
|
+
|
|
195
|
+
---
|
|
196
|
+
|
|
197
|
+
## 🛡️ Secure API Checklist
|
|
198
|
+
|
|
199
|
+
- [ ] JWT with strong secret (HS256 min 256-bit)
|
|
200
|
+
- [ ] Token expiration set
|
|
201
|
+
- [ ] Proper authorization on every endpoint
|
|
202
|
+
- [ ] Rate limiting enabled
|
|
203
|
+
- [ ] Input validation on all parameters
|
|
204
|
+
- [ ] Sensitive data not in responses
|
|
205
|
+
- [ ] Security headers set
|
|
206
|
+
- [ ] CORS properly configured
|
|
207
|
+
- [ ] No verbose errors in production
|
|
208
|
+
- [ ] API versioning
|
|
209
|
+
- [ ] Logging without sensitive data
|
|
210
|
+
- [ ] HTTPS only
|