API Documentation

Attackers can use the API docs to find design flaws, and hidden endpoints, and get a better understanding of the application.

Swagger API

A popular API documentation language for describing RESTful APIs expressed using JSON.

• gives the name, path, and arguments of every possible api call.

Swagger endpoints:

→ /api

→ /swagger/index.html

→ /swagger/v1/swagger.json

→ /swagger-ui.html

→ /swagger-resources

Interesting findings:

→ hidden password resets that are easily bypassable

→ hidden admin functionality

→ SQL injection

XSS

When getting across some swagger documentation, check for these two XSS vulnerabilities:

• https://github.com/swagger-api/swagger-ui/issues/1262

• https://github.com/swagger-api/swagger-ui/issues/3847

Postman

A tool that can be used to read and write API documentation

• used to import API documentation from multiple sources.

• https://www.postman.com/downloads/

Once you import the API docs to Postman, review each API endpoint and test it for vulnerabilities.

Web Service Description Language (WSDL)

A file is used to describe the endpoints of a SOAP API.

• Look for an XML file that contains a “wsdl” tag: → example.com/?wsdl → example.com/file.wsdl

• Import this file into the “soupUI” tool

Web Application Description Language (WADL)

A machine-readable XML description of HTTP-based web services used for REST APIs.

• Look for an XML document ending with “wadl”

→ example.com/file.wadl

• Import it using Postman -> review each API endpoint and test it for vulnerabilities.