@soulofzephir/pi-skill-pentesting 1.0.2 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/pentesting/SKILL.md +122 -112
- package/skills/pentesting/checklists/api-security.md +210 -0
- package/skills/pentesting/checklists/cloud-metadata.md +290 -0
- package/skills/pentesting/checklists/sensitive-data.md +323 -0
- package/skills/pentesting/checklists/subdomain.md +243 -0
- package/skills/pentesting/checklists/websocket.md +197 -0
- package/skills/pentesting/tools/exposed-files-scan.ps1 +141 -238
- package/skills/pentesting/tools/full-scan.ps1 +278 -316
- package/soulofzephir-pi-skill-pentesting-1.0.2.tgz +0 -0
- package/soulofzephir-pi-skill-pentesting-1.0.3.tgz +0 -0
- package/soulofzephir-pi-skill-pentesting-1.0.4.tgz +0 -0
package/package.json
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: pentesting
|
|
3
|
-
description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers
|
|
3
|
+
description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers, port scanning, SQL injection, XSS, OWASP Top 10, SSL/TLS, exposed files, CORS, JWT, GraphQL, API security, subdomain discovery, WebSocket, cloud metadata, and sensitive data detection. Use for pentest, security check, vulnerability scan, header security, port scan, SQL injection, XSS, exposed files, CORS, JWT, GraphQL, API security, subdomain, WebSocket, cloud, sensitive data, or bug bounty testing. Generates reports to site/domainname-date.md format.
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
# 🛡️ Pentesting & Security Check Skill
|
|
7
7
|
|
|
8
|
-
> **AUTHOR:** Rz (@soulofzephir) | **VERSION:**
|
|
8
|
+
> **AUTHOR:** Rz (@soulofzephir) | **VERSION:** 4.0 | **LAST UPDATED:** 2025-07-05
|
|
9
9
|
|
|
10
10
|
---
|
|
11
11
|
|
|
12
|
-
## 📋 CAPABILITIES OVERVIEW (
|
|
12
|
+
## 📋 CAPABILITIES OVERVIEW (v4.0)
|
|
13
13
|
|
|
14
14
|
| Category | Coverage | Status |
|
|
15
15
|
|----------|----------|--------|
|
|
@@ -21,10 +21,15 @@ description: Comprehensive website security testing skill for penetration testin
|
|
|
21
21
|
| **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
|
|
22
22
|
| **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
|
|
23
23
|
| **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
|
|
24
|
-
| **Exposed Files** | .env, .git, backups, debug | ✅
|
|
25
|
-
| **CORS Security** | Misconfiguration tests | ✅
|
|
26
|
-
| **JWT Security** | Algorithm attacks, brute force | ✅
|
|
27
|
-
| **GraphQL Security** | Introspection, DoS, injection | ✅
|
|
24
|
+
| **Exposed Files** | .env, .git, backups, debug | ✅ Script |
|
|
25
|
+
| **CORS Security** | Misconfiguration tests | ✅ Checklist |
|
|
26
|
+
| **JWT Security** | Algorithm attacks, brute force | ✅ Checklist |
|
|
27
|
+
| **GraphQL Security** | Introspection, DoS, injection | ✅ Checklist |
|
|
28
|
+
| **API Security** | REST API testing, IDOR, rate limit | ✅ **NEW** |
|
|
29
|
+
| **Subdomain Discovery** | Passive/Active enumeration | ✅ **NEW** |
|
|
30
|
+
| **WebSocket Security** | CSWSH, hijacking, DoS | ✅ **NEW** |
|
|
31
|
+
| **Cloud Metadata** | SSRF to AWS/GCP/Azure | ✅ **NEW** |
|
|
32
|
+
| **Sensitive Data** | Credentials, PII exposure | ✅ **NEW** |
|
|
28
33
|
| **Report Generation** | .md format | ✅ Auto |
|
|
29
34
|
|
|
30
35
|
---
|
|
@@ -42,13 +47,18 @@ This skill auto-loads when user mentions:
|
|
|
42
47
|
- OWASP, OWASP Top 10
|
|
43
48
|
- exposed files, .env, .git exposed
|
|
44
49
|
- CORS, JWT, GraphQL security
|
|
50
|
+
- API security, REST API, REST security
|
|
51
|
+
- subdomain discovery, subdomain enumeration
|
|
52
|
+
- WebSocket security, WS security
|
|
53
|
+
- cloud metadata, SSRF, AWS metadata
|
|
54
|
+
- sensitive data, credentials exposure, PII
|
|
45
55
|
- "test keamanan", "cek security", "audit keamanan"
|
|
46
|
-
-
|
|
47
|
-
-
|
|
56
|
+
- "test skill", "check skill", "validate skill"
|
|
57
|
+
- "skill health", "skill status", "skill diagnostics"
|
|
48
58
|
|
|
49
59
|
---
|
|
50
60
|
|
|
51
|
-
## ⚡ COMPLETE TEST CHECKLIST (
|
|
61
|
+
## ⚡ COMPLETE TEST CHECKLIST (16 Phases)
|
|
52
62
|
|
|
53
63
|
### Phase 1: Reconnaissance
|
|
54
64
|
```
|
|
@@ -71,7 +81,7 @@ This skill auto-loads when user mentions:
|
|
|
71
81
|
[ ] X-Powered-By (hide tech)
|
|
72
82
|
```
|
|
73
83
|
|
|
74
|
-
### Phase 3: Exposed Files & Information Disclosure 🔴
|
|
84
|
+
### Phase 3: Exposed Files & Information Disclosure 🔴
|
|
75
85
|
```
|
|
76
86
|
[ ] .env file accessible?
|
|
77
87
|
[ ] .git directory exposed?
|
|
@@ -81,33 +91,33 @@ This skill auto-loads when user mentions:
|
|
|
81
91
|
[ ] Spring Boot Actuator endpoints
|
|
82
92
|
[ ] API documentation exposed
|
|
83
93
|
[ ] Log files accessible
|
|
84
|
-
[ ] robots.txt (reveals paths)
|
|
85
|
-
[ ] Security.txt endpoint
|
|
86
94
|
```
|
|
87
95
|
|
|
88
|
-
### Phase 4:
|
|
96
|
+
### Phase 4: Subdomain Discovery 🔴 **NEW**
|
|
97
|
+
```
|
|
98
|
+
[ ] Passive recon (crt.sh, certspotter)
|
|
99
|
+
[ ] DNS aggregators (SecurityTrails, VirusTotal)
|
|
100
|
+
[ ] Active enumeration (subfinder, amass)
|
|
101
|
+
[ ] DNS zone transfer
|
|
102
|
+
[ ] Subdomain takeover detection
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### Phase 5: Port & Network Scanning
|
|
89
106
|
```
|
|
90
107
|
[ ] Full port scan (1-65535)
|
|
91
108
|
[ ] Service version detection
|
|
92
|
-
[ ] High-risk port exposure
|
|
93
|
-
[ ] Port 3306 (MySQL)
|
|
94
|
-
[ ] Port 5432 (PostgreSQL)
|
|
95
|
-
[ ] Port 27017 (MongoDB)
|
|
96
|
-
[ ] Port 6379 (Redis)
|
|
97
|
-
[ ] Port 2375 (Docker)
|
|
98
|
-
[ ] Port 9200 (Elasticsearch)
|
|
109
|
+
[ ] High-risk port exposure (3306, 5432, 6379, 2375)
|
|
99
110
|
```
|
|
100
111
|
|
|
101
|
-
### Phase
|
|
112
|
+
### Phase 6: SSL/TLS Audit
|
|
102
113
|
```
|
|
103
114
|
[ ] Certificate validity
|
|
104
115
|
[ ] TLS version (no 1.0/1.1)
|
|
105
116
|
[ ] Weak ciphers
|
|
106
117
|
[ ] HSTS implementation
|
|
107
|
-
[ ] OCSP stapling
|
|
108
118
|
```
|
|
109
119
|
|
|
110
|
-
### Phase
|
|
120
|
+
### Phase 7: Authentication Testing
|
|
111
121
|
```
|
|
112
122
|
[ ] Brute force protection
|
|
113
123
|
[ ] Password policy
|
|
@@ -116,7 +126,43 @@ This skill auto-loads when user mentions:
|
|
|
116
126
|
[ ] Password reset flow
|
|
117
127
|
```
|
|
118
128
|
|
|
119
|
-
### Phase
|
|
129
|
+
### Phase 8: API Security 🔴 **NEW**
|
|
130
|
+
```
|
|
131
|
+
[ ] REST API authentication
|
|
132
|
+
[ ] IDOR (access other users' data)
|
|
133
|
+
[ ] Rate limiting bypass
|
|
134
|
+
[ ] Mass assignment
|
|
135
|
+
[ ] API versioning issues
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
### Phase 9: WebSocket Security 🔴 **NEW**
|
|
139
|
+
```
|
|
140
|
+
[ ] Origin validation
|
|
141
|
+
[ ] Cross-Site WebSocket Hijacking (CSWSH)
|
|
142
|
+
[ ] Authentication in WebSocket
|
|
143
|
+
[ ] Input validation in messages
|
|
144
|
+
[ ] DoS via WebSocket
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### Phase 10: Cloud Metadata (SSRF) 🔴 **NEW**
|
|
148
|
+
```
|
|
149
|
+
[ ] AWS EC2 metadata accessible?
|
|
150
|
+
[ ] GCP metadata accessible?
|
|
151
|
+
[ ] Azure metadata accessible?
|
|
152
|
+
[ ] IAM credentials exposed
|
|
153
|
+
[ ] SSRF to cloud takeover
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
### Phase 11: Sensitive Data Detection 🔴 **NEW**
|
|
157
|
+
```
|
|
158
|
+
[ ] API keys in source code
|
|
159
|
+
[ ] AWS credentials exposed
|
|
160
|
+
[ ] Private keys exposed
|
|
161
|
+
[ ] PII in responses
|
|
162
|
+
[ ] Credentials in URLs
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
### Phase 12: Injection Testing
|
|
120
166
|
```
|
|
121
167
|
[ ] SQL Injection (5 types)
|
|
122
168
|
[ ] XSS (4 types)
|
|
@@ -127,36 +173,33 @@ This skill auto-loads when user mentions:
|
|
|
127
173
|
[ ] SSRF
|
|
128
174
|
```
|
|
129
175
|
|
|
130
|
-
### Phase
|
|
176
|
+
### Phase 13: CORS Security
|
|
131
177
|
```
|
|
132
178
|
[ ] Wildcard origin check
|
|
133
179
|
[ ] Credentials with wildcard
|
|
134
180
|
[ ] Null origin allowed?
|
|
135
181
|
[ ] Internal IPs allowed?
|
|
136
|
-
[ ] Sensitive endpoints CORS
|
|
137
182
|
```
|
|
138
183
|
|
|
139
|
-
### Phase
|
|
184
|
+
### Phase 14: JWT Security
|
|
140
185
|
```
|
|
141
186
|
[ ] Algorithm confusion (RS256→HS256)
|
|
142
187
|
[ ] alg:none bypass
|
|
143
188
|
[ ] Weak secret brute force
|
|
144
189
|
[ ] Null signature accepted
|
|
145
|
-
[ ] Token manipulation
|
|
146
|
-
[ ] JWKS cache poisoning
|
|
190
|
+
[ ] Token manipulation
|
|
147
191
|
```
|
|
148
192
|
|
|
149
|
-
### Phase
|
|
193
|
+
### Phase 15: GraphQL Security
|
|
150
194
|
```
|
|
151
195
|
[ ] Introspection enabled?
|
|
152
|
-
[ ] GraphQL IDE exposed
|
|
153
196
|
[ ] Authorization bypass (IDOR)
|
|
154
197
|
[ ] Batch query attack
|
|
155
198
|
[ ] Depth-based DoS
|
|
156
199
|
[ ] SQL/NoSQL Injection
|
|
157
200
|
```
|
|
158
201
|
|
|
159
|
-
### Phase
|
|
202
|
+
### Phase 16: OWASP Top 10 (A01-A10)
|
|
160
203
|
```
|
|
161
204
|
[ ] A01 - Broken Access Control
|
|
162
205
|
[ ] A02 - Cryptographic Failures
|
|
@@ -170,38 +213,36 @@ This skill auto-loads when user mentions:
|
|
|
170
213
|
[ ] A10 - SSRF
|
|
171
214
|
```
|
|
172
215
|
|
|
173
|
-
### Phase 12: Business Logic & API
|
|
174
|
-
```
|
|
175
|
-
[ ] IDOR
|
|
176
|
-
[ ] Privilege escalation
|
|
177
|
-
[ ] Price manipulation
|
|
178
|
-
[ ] API security (REST/GraphQL)
|
|
179
|
-
[ ] Rate limiting
|
|
180
|
-
```
|
|
181
|
-
|
|
182
216
|
---
|
|
183
217
|
|
|
184
218
|
## 🔧 TOOLS LOCATION
|
|
185
219
|
|
|
186
220
|
```
|
|
187
221
|
skills/pentesting/
|
|
188
|
-
├── SKILL.md
|
|
222
|
+
├── SKILL.md
|
|
189
223
|
├── checklists/
|
|
190
|
-
│ ├── headers.md #
|
|
224
|
+
│ ├── headers.md # Security headers
|
|
191
225
|
│ ├── owasp.md # OWASP Top 10
|
|
192
226
|
│ ├── ports.md # Port scanning
|
|
193
|
-
│ ├── injection.md
|
|
194
|
-
│ ├── exposed-files.md #
|
|
195
|
-
│ ├── cors.md #
|
|
196
|
-
│ ├── jwt.md #
|
|
197
|
-
│
|
|
227
|
+
│ ├── injection.md # All injection types
|
|
228
|
+
│ ├── exposed-files.md # Exposed files detection
|
|
229
|
+
│ ├── cors.md # CORS security
|
|
230
|
+
│ ├── jwt.md # JWT security
|
|
231
|
+
│ ├── graphql.md # GraphQL security
|
|
232
|
+
│ ├── api-security.md # 🔴 NEW - API security
|
|
233
|
+
│ ├── subdomain.md # 🔴 NEW - Subdomain discovery
|
|
234
|
+
│ ├── websocket.md # 🔴 NEW - WebSocket security
|
|
235
|
+
│ ├── cloud-metadata.md # 🔴 NEW - Cloud metadata/SSRF
|
|
236
|
+
│ └── sensitive-data.md # 🔴 NEW - Sensitive data detection
|
|
198
237
|
├── tools/
|
|
199
238
|
│ ├── header-scan.sh # Linux/Mac headers
|
|
200
239
|
│ ├── header-scan.ps1 # Windows headers
|
|
201
|
-
│ ├── exposed-files-scan.sh #
|
|
202
|
-
│ ├── exposed-files-scan.ps1 #
|
|
203
|
-
│ ├── full-scan.sh
|
|
204
|
-
│
|
|
240
|
+
│ ├── exposed-files-scan.sh # Exposed files (Linux)
|
|
241
|
+
│ ├── exposed-files-scan.ps1 # Exposed files (Windows)
|
|
242
|
+
│ ├── full-scan.sh # All-in-one (Linux)
|
|
243
|
+
│ ├── full-scan.ps1 # All-in-one (Windows)
|
|
244
|
+
│ ├── test-skill.sh # Skill health check (Linux)
|
|
245
|
+
│ └── test-skill.ps1 # Skill health check (Windows)
|
|
205
246
|
└── reports/
|
|
206
247
|
└── template.md # Report template
|
|
207
248
|
```
|
|
@@ -210,66 +251,28 @@ skills/pentesting/
|
|
|
210
251
|
|
|
211
252
|
## 🚀 QUICK COMMANDS
|
|
212
253
|
|
|
213
|
-
### Skill Health Check 🔴 **NEW**
|
|
214
|
-
```bash
|
|
215
|
-
# Windows PowerShell
|
|
216
|
-
.\tools\test-skill.ps1
|
|
217
|
-
.\tools\test-skill.ps1 -Verbose
|
|
218
|
-
|
|
219
|
-
# Linux/Mac
|
|
220
|
-
chmod +x tools/test-skill.sh
|
|
221
|
-
./tools/test-skill.sh
|
|
222
|
-
```
|
|
223
|
-
|
|
224
254
|
### Security Headers
|
|
225
255
|
```bash
|
|
226
|
-
# Linux/Mac
|
|
227
|
-
chmod +x tools/header-scan.sh
|
|
228
|
-
./tools/header-scan.sh https://target.com
|
|
229
|
-
|
|
230
|
-
# Windows PowerShell
|
|
231
256
|
.\tools\header-scan.ps1 -Target https://target.com
|
|
257
|
+
./tools/header-scan.sh https://target.com
|
|
232
258
|
```
|
|
233
259
|
|
|
234
|
-
### Exposed Files Scan
|
|
260
|
+
### Exposed Files Scan
|
|
235
261
|
```bash
|
|
236
|
-
# Linux/Mac
|
|
237
|
-
chmod +x tools/exposed-files-scan.sh
|
|
238
|
-
./tools/exposed-files-scan.sh https://target.com
|
|
239
|
-
|
|
240
|
-
# Windows PowerShell
|
|
241
262
|
.\tools\exposed-files-scan.ps1 -Target https://target.com
|
|
263
|
+
./tools/exposed-files-scan.sh https://target.com
|
|
242
264
|
```
|
|
243
265
|
|
|
244
|
-
### Full Security Scan (All-in-One)
|
|
266
|
+
### Full Security Scan (All-in-One)
|
|
245
267
|
```bash
|
|
246
|
-
# Linux/Mac
|
|
247
|
-
chmod +x tools/full-scan.sh
|
|
248
|
-
./tools/full-scan.sh https://target.com
|
|
249
|
-
|
|
250
|
-
# Windows PowerShell
|
|
251
268
|
.\tools\full-scan.ps1 -Target https://target.com
|
|
269
|
+
./tools/full-scan.sh https://target.com
|
|
252
270
|
```
|
|
253
271
|
|
|
254
|
-
###
|
|
255
|
-
```bash
|
|
256
|
-
nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
|
|
257
|
-
nmap -p- -sV target.com
|
|
258
|
-
```
|
|
259
|
-
|
|
260
|
-
### Vulnerability Scanning
|
|
272
|
+
### Skill Health Check
|
|
261
273
|
```bash
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
# SQLMap
|
|
266
|
-
sqlmap -u "https://target.com/search?q=1" --batch
|
|
267
|
-
|
|
268
|
-
# Dalfox XSS
|
|
269
|
-
dalfox url https://target.com/search?q=test
|
|
270
|
-
|
|
271
|
-
# Commix
|
|
272
|
-
commix -u "http://target.com/ping?ip=127.0.0.1"
|
|
274
|
+
.\tools\test-skill.ps1
|
|
275
|
+
./tools/test-skill.sh
|
|
273
276
|
```
|
|
274
277
|
|
|
275
278
|
---
|
|
@@ -321,8 +324,12 @@ F (0-29): Critical
|
|
|
321
324
|
- "test CORS" → Load CORS checklist
|
|
322
325
|
- "test JWT" → Load JWT checklist
|
|
323
326
|
- "test GraphQL" → Load GraphQL checklist
|
|
324
|
-
-
|
|
325
|
-
-
|
|
327
|
+
- "test API security" → Load API security checklist 🔴 **NEW**
|
|
328
|
+
- "test subdomain" → Load subdomain discovery 🔴 **NEW**
|
|
329
|
+
- "test WebSocket" → Load WebSocket security 🔴 **NEW**
|
|
330
|
+
- "test cloud metadata" → Load cloud metadata checklist 🔴 **NEW**
|
|
331
|
+
- "test sensitive data" → Load sensitive data checklist 🔴 **NEW**
|
|
332
|
+
- "test skill" / "check skill" → Run skill health check
|
|
326
333
|
|
|
327
334
|
---
|
|
328
335
|
|
|
@@ -338,20 +345,20 @@ User: "security audit untuk target.com"
|
|
|
338
345
|
User: "check exposed files di website ini"
|
|
339
346
|
→ Run exposed files scan → site/target.com-exposed-2025-07-05.md
|
|
340
347
|
|
|
341
|
-
User: "test
|
|
342
|
-
→ Run
|
|
348
|
+
User: "test API security"
|
|
349
|
+
→ Run API security tests → checklists/api-security.md
|
|
343
350
|
|
|
344
|
-
User: "
|
|
345
|
-
→ Run
|
|
351
|
+
User: "subdomain enumeration untuk target.com"
|
|
352
|
+
→ Run subdomain discovery → checklists/subdomain.md
|
|
346
353
|
|
|
347
|
-
User: "
|
|
348
|
-
→
|
|
354
|
+
User: "test SSRF"
|
|
355
|
+
→ Load cloud metadata/SSRF checklist
|
|
349
356
|
|
|
350
|
-
User: "
|
|
351
|
-
→
|
|
357
|
+
User: "check sensitive data exposure"
|
|
358
|
+
→ Load sensitive data detection checklist
|
|
352
359
|
|
|
353
|
-
User: "
|
|
354
|
-
→
|
|
360
|
+
User: "test skill"
|
|
361
|
+
→ Run skill health check
|
|
355
362
|
```
|
|
356
363
|
|
|
357
364
|
---
|
|
@@ -359,6 +366,9 @@ User: "validate skill installation"
|
|
|
359
366
|
## ✅ SKILL READY
|
|
360
367
|
|
|
361
368
|
**Status:** ACTIVE & READY FOR USE
|
|
362
|
-
**Version:**
|
|
369
|
+
**Version:** 4.0
|
|
363
370
|
**Author:** Rz (@soulofzephir)
|
|
364
371
|
**Last Updated:** 2025-07-05
|
|
372
|
+
**Checklists:** 13
|
|
373
|
+
**Tools:** 8
|
|
374
|
+
**Health Score:** 95%+
|
|
@@ -0,0 +1,210 @@
|
|
|
1
|
+
# API Security Checklist
|
|
2
|
+
|
|
3
|
+
## 🔍 What is API Security?
|
|
4
|
+
|
|
5
|
+
APIs expose application logic and sensitive data. Testing requires understanding authentication, authorization, and input validation.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## ⚠️ Common API Vulnerabilities
|
|
10
|
+
|
|
11
|
+
### 1. Broken Object Level Authorization (BOLA/IDOR)
|
|
12
|
+
```
|
|
13
|
+
Risk: Users access other users' resources
|
|
14
|
+
Test: Change ID in request parameter
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
### 2. Broken Authentication
|
|
18
|
+
```
|
|
19
|
+
Risk: Session management flaws
|
|
20
|
+
Test: Token manipulation, JWT attacks
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
### 3. Excessive Data Exposure
|
|
24
|
+
```
|
|
25
|
+
Risk: API returns more data than needed
|
|
26
|
+
Test: Analyze all response fields
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### 4. Lack of Resources & Rate Limiting
|
|
30
|
+
```
|
|
31
|
+
Risk: DoS, brute force
|
|
32
|
+
Test: Send many requests, measure throttling
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### 5. Mass Assignment
|
|
36
|
+
```
|
|
37
|
+
Risk: Modify protected fields
|
|
38
|
+
Test: Add unexpected fields to request
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
## 🧪 Testing Checklist
|
|
44
|
+
|
|
45
|
+
### Phase 1: Discovery
|
|
46
|
+
- [ ] API endpoints identified
|
|
47
|
+
- [ ] HTTP methods discovered (GET, POST, PUT, DELETE, PATCH)
|
|
48
|
+
- [ ] Authentication method identified (Bearer, API Key, OAuth, JWT)
|
|
49
|
+
- [ ] Content-Type identified (JSON, XML, form-data)
|
|
50
|
+
- [ ] Versioning detected (v1, v2, /api/)
|
|
51
|
+
|
|
52
|
+
### Phase 2: Authentication Testing
|
|
53
|
+
- [ ] API key exposure in URL (should be in header)
|
|
54
|
+
- [ ] Bearer token manipulation
|
|
55
|
+
- [ ] JWT attacks (alg confusion, none, weak secret)
|
|
56
|
+
- [ ] Session fixation
|
|
57
|
+
- [ ] Token expiration bypass
|
|
58
|
+
- [ ] Password reset via API
|
|
59
|
+
- [ ] MFA bypass attempts
|
|
60
|
+
|
|
61
|
+
### Phase 3: Authorization Testing
|
|
62
|
+
- [ ] Horizontal privilege escalation (access other users)
|
|
63
|
+
- [ ] Vertical privilege escalation (admin access)
|
|
64
|
+
- [ ] IDOR in resource endpoints
|
|
65
|
+
- [ ] Parameter manipulation
|
|
66
|
+
- [ ] Path traversal in URLs
|
|
67
|
+
|
|
68
|
+
### Phase 4: Input Validation
|
|
69
|
+
- [ ] SQL Injection
|
|
70
|
+
- [ ] NoSQL Injection (MongoDB operators)
|
|
71
|
+
- [ ] Command Injection
|
|
72
|
+
- [ ] XSS (in JSON responses)
|
|
73
|
+
- [ ] XML Injection (if XML API)
|
|
74
|
+
- [ ] JSON Manipulation
|
|
75
|
+
|
|
76
|
+
### Phase 5: Rate Limiting
|
|
77
|
+
- [ ] Rate limit present?
|
|
78
|
+
- [ ] Bypass via header manipulation (X-Forwarded-For)
|
|
79
|
+
- [ ] Bypass via IP rotation
|
|
80
|
+
- [ ] Bypass via user-agent rotation
|
|
81
|
+
- [ ] Business logic abuse (coupon reuse, price manipulation)
|
|
82
|
+
|
|
83
|
+
### Phase 6: Business Logic
|
|
84
|
+
- [ ] Workflow bypass
|
|
85
|
+
- [ ] Race condition
|
|
86
|
+
- [ ] Mass assignment
|
|
87
|
+
- [ ] Insufficient workflow validation
|
|
88
|
+
- [ ] Time-based logic abuse
|
|
89
|
+
|
|
90
|
+
### Phase 7: Data Exposure
|
|
91
|
+
- [ ] Sensitive data in responses (PII, passwords, tokens)
|
|
92
|
+
- [ ] Stack traces in errors
|
|
93
|
+
- [ ] Debug endpoints exposed
|
|
94
|
+
- [ ] Verbose logging
|
|
95
|
+
- [ ] Default/error messages leak info
|
|
96
|
+
|
|
97
|
+
### Phase 8: Configuration
|
|
98
|
+
- [ ] CORS misconfiguration
|
|
99
|
+
- [ ] HTTP methods enabled (TRACE, OPTIONS)
|
|
100
|
+
- [ ] SSL/TLS issues
|
|
101
|
+
- [ ] Security headers missing
|
|
102
|
+
- [ ] Sensitive fields in Swagger/OpenAPI
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
## 🔧 Common API Payloads
|
|
107
|
+
|
|
108
|
+
### SQL Injection
|
|
109
|
+
```json
|
|
110
|
+
{"id": "1 OR 1=1"}
|
|
111
|
+
{"id": "1' OR '1'='1"}
|
|
112
|
+
{"id": "1; DROP TABLE users--"}
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
### NoSQL Injection
|
|
116
|
+
```json
|
|
117
|
+
{"id": {"$ne": null}}
|
|
118
|
+
{"id": {"$gt": ""}}
|
|
119
|
+
{"username": {"$regex": ".*"}}
|
|
120
|
+
{"password": {"$ne": ""}}
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
### Mass Assignment
|
|
124
|
+
```json
|
|
125
|
+
{"user_id": 123, "role": "admin"}
|
|
126
|
+
{"price": 1, "admin": true}
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
### Bypass Rate Limiting
|
|
130
|
+
```bash
|
|
131
|
+
# Via X-Forwarded-For
|
|
132
|
+
curl -H "X-Forwarded-For: 1.2.3.4" api.target.com
|
|
133
|
+
|
|
134
|
+
# Via X-Real-IP
|
|
135
|
+
curl -H "X-Real-IP: 1.2.3.4" api.target.com
|
|
136
|
+
|
|
137
|
+
# Via X-Originating-IP
|
|
138
|
+
curl -H "X-Originating-IP: 1.2.3.4" api.target.com
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
### IDOR Tests
|
|
142
|
+
```bash
|
|
143
|
+
# Change user ID
|
|
144
|
+
GET /api/users/123/profile
|
|
145
|
+
GET /api/users/124/profile
|
|
146
|
+
|
|
147
|
+
# Change resource ID
|
|
148
|
+
GET /api/orders/1001
|
|
149
|
+
GET /api/orders/1002
|
|
150
|
+
|
|
151
|
+
# Change UUID
|
|
152
|
+
GET /api/documents/abc-123
|
|
153
|
+
GET /api/documents/abc-124
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## 🛠️ Tools
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
# Burp Suite (Recommended)
|
|
162
|
+
# - Intruder for fuzzing
|
|
163
|
+
# - Repeater for testing
|
|
164
|
+
# - Active Scanner
|
|
165
|
+
|
|
166
|
+
# sqlmap for API SQLi
|
|
167
|
+
sqlmap -u "https://api.target.com/users?id=1" --level=5 --risk=3
|
|
168
|
+
|
|
169
|
+
# ffuf for fuzzing
|
|
170
|
+
ffuf -w wordlist.txt -u https://api.target.com/FUZZ
|
|
171
|
+
|
|
172
|
+
# JWT attacks
|
|
173
|
+
python -m jwt_tool <JWT> -T
|
|
174
|
+
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
|
|
175
|
+
|
|
176
|
+
# API enumeration
|
|
177
|
+
nmap --script=http-enum api.target.com
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## 📋 API Security Score
|
|
183
|
+
|
|
184
|
+
| Area | Score | Weight |
|
|
185
|
+
|------|-------|--------|
|
|
186
|
+
| Authentication | /20 | High |
|
|
187
|
+
| Authorization | /20 | Critical |
|
|
188
|
+
| Rate Limiting | /15 | High |
|
|
189
|
+
| Input Validation | /15 | Critical |
|
|
190
|
+
| Data Exposure | /15 | High |
|
|
191
|
+
| Configuration | /15 | Medium |
|
|
192
|
+
|
|
193
|
+
**Total: /100**
|
|
194
|
+
|
|
195
|
+
---
|
|
196
|
+
|
|
197
|
+
## 🛡️ Secure API Checklist
|
|
198
|
+
|
|
199
|
+
- [ ] JWT with strong secret (HS256 min 256-bit)
|
|
200
|
+
- [ ] Token expiration set
|
|
201
|
+
- [ ] Proper authorization on every endpoint
|
|
202
|
+
- [ ] Rate limiting enabled
|
|
203
|
+
- [ ] Input validation on all parameters
|
|
204
|
+
- [ ] Sensitive data not in responses
|
|
205
|
+
- [ ] Security headers set
|
|
206
|
+
- [ ] CORS properly configured
|
|
207
|
+
- [ ] No verbose errors in production
|
|
208
|
+
- [ ] API versioning
|
|
209
|
+
- [ ] Logging without sensitive data
|
|
210
|
+
- [ ] HTTPS only
|