A JSON Web Token is an encoded string of characters that allows users to identify themselves when interacting with an API. Why do you need a token? Because APIs manage their connections in a different way than regular web applications do. A web app typically relies on stateful connections. This means that when a...
Extract email addresses from a large JSON file
Some requests to API endpoints may generate a very large output in JSON format. As an example, the crAPI vulnerable web app that I have been practicing with lately has an endpoint that lists the details of all recent posts in the community section of the app. These details happen to include the e-mail...
Export a Postman collection to OpenAPI 3.0
This post is a follow up to my earlier Build an OpenAPI 3.0 documentation file post. In this previous post, I showed you how you can create your own API documentation, compliant with the OpenAPI 3.0 specifications, using Firefox and mitmproxy2swagger. The point is to have a documentation file that you can then import...
Build an OpenAPI 3.0 documentation file
This post will help you if you are testing an API, you are at the recon stage and you want to generate your own OpenAPI 3.0 documentation for your target, which you can then open as a collection in Postman to start probing for vulnerabilities. Here, we are going to use Firefox’s developer tools...
Using Kiterunner with routes-large.kite
So you’ve chosen Kiterunner as your preferred tool for fuzzing APIs ? Good for you (I’ll go into more detail about Kiterunner in a later post – stay tuned). But if you are using a virtual machine to host the linux system you use for your hacking (which I very much recommend) and installed...
Make crAPI accessible on a network
Need to practice your API hacking skills? crAPI is for you. OWASP’s completely ridiculous API (crAPI) is one of several vulnerable apps you can set up as a target on your network. You’ll find installation instructions here. But there’s a catch. Once you have successfully run through the instructions, you will have a functioning...