search

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
https://owasp.org/www-project-web-security-testing-guide/
Creative Commons Attribution Share Alike 4.0 International
7.19k stars 1.32k forks source link

Add Recon Section for API Chapter #1147

Closed garthoid closed 1 month ago

garthoid commented 3 months ago

This PR supports issue #5

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 80:24 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 97:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 97:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 109:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 113:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 113:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 115:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 119:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 123:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 131:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 95:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400 [✖] https://example.com/api/v1 → Status: 404 [✖] https://example.com/graphql → Status: 404

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400 [✖] https://example.com/api/v1 → Status: 404 [✖] https://example.com/graphql → Status: 404

github-actions[bot] commented 3 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:508:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:509:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:511:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:512:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:513:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:514:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:515:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:518:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:519:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:520:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md 27:14 ✖ Incorrect usage of the term: “website”, use “site” instead terminology

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 80:24 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 97:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 97:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 109:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 113:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 113:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 115:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 119:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 123:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 131:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 95:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

github-actions[bot] commented 3 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:508:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:509:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:511:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:512:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:513:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:514:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:515:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:518:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:519:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:520:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md 27:14 ✖ Incorrect usage of the term: “website”, use “site” instead terminology

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 97:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 97:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 109:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 113:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 113:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 115:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 119:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 123:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 131:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 95:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400

github-actions[bot] commented 3 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:508:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:509:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:511:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:512:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:513:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:514:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:515:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:518:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:519:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:520:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md 27:14 ✖ Incorrect usage of the term: “website”, use “site” instead terminology

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 97:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 97:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 109:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 113:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 113:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 115:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 119:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 123:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 131:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 95:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

kingthorin commented 3 months ago

Check out the template directory 📖

This needs some objectives, and other minor tweaks.

garthoid commented 3 months ago

Check out the template directory 📖

This needs some objectives, and other minor tweaks.

The GraphQL page was not intended to be part of this PR. Will try to remove.

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400 [✖] https://example.com/api/v1 → Status: 404 [✖] https://example.com/graphql → Status: 404

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 80:24 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 97:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 97:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 109:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 113:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 113:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 115:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 119:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 123:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 131:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 95:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

github-actions[bot] commented 3 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] apis.guru → Status: 400

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 29:43 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 30:58 ✖ Incorrect usage of the term: “back end”, use “backend” instead terminology 54:43 ✖ Incorrect usage of the term: “website”, use “site” instead terminology 54:247 ✖ Incorrect usage of the term: “websites”, use “sites” instead terminology 56:61 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology 101:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology 101:42 ✖ Incorrect usage of the term: “graphql”, use “GraphQL” instead terminology 113:9 ✖ Incorrect usage of the term: “Client Side”, use “client-side” instead terminology 117:188 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 117:332 ✖ Incorrect usage of the term: “Regex”, use “regular expression” instead terminology 119:156 ✖ Incorrect usage of the term: “regex”, use “regular expression” instead terminology 123:169 ✖ Incorrect usage of the term: “command line tools”, use “command-line tools” instead terminology 127:6 ✖ Incorrect usage of the term: “Regex”, use “Regular expression” instead terminology 135:56 ✖ Incorrect usage of the term: “command line tool”, use “command-line tool” instead terminology 99:35 ✖ Incorrect usage of the term: “api”, use “API” instead terminology

github-actions[bot] commented 3 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/pr/document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md 9:398 ✖ Incorrect usage of the term: “API’s”, use “APIs” instead terminology 77:270 ✖ Incorrect usage of the term: “urls”, use “URLs” instead terminology

kingthorin commented 3 months ago

You probably need to pull those changes back to your local

rbsec commented 3 months ago

I've not gone through this in huge detail - but a few initial thoughts.

The main one is that there seems to be quite a lot of duplication between this and the existing content within the WSTG. Things like checking well known directories, robots.txt, Google Dorking, Dirbuster, examining JS files, etc are all already included in the guide. Is there much value to repeating those same things here, given that it just means there are now two places to read it and for us to keep it up to date? Or would it be better to point to the existing content in the WSTG?

Because it's quite rare nowadays to find a web application that doesn't use APIs at some level - so I'd question how meaningful it is to split out "API Reconnaissance" to from the existing "Information Gathering" section. Would it not make more sense to add in any specific extra checks to the existing section rather than creating a whole new one? Or is the idea to create a essentially a separate guide for if you're only testing an API endpoint, and that you'd jump back and forth between this and the more general info gathering section if you're testing a full application? (probably a question for @kingthorin, @ThunderSon and @victoriadrake rather than OP).

Secondly there's quite a lot of tools listed here, including several I've not heard of, and some that seem to be unsupported (uproon-js has had no commits in 2 years, JSParser has had no commits in 7 years and only supports Python2, attack-surfce-detector-burp has had no commits for 6 years, waybackurls has no commits for 2 years, etc). Are we happy to be recommending all these as a project?

There's certainly some good content in there, including some things that should perhaps be part of the general information gathering guides (as they're not API specific), like trying to extract secrets from JS using AST tools - I'm sure unsure whether trying to split out API testing in this way is a meaningful distinction, or whether it would be better to try and adapt the existing guidance to include any API-specific bits.

garthoid commented 3 months ago

The main one is that there seems to be quite a lot of duplication between this and the existing content within the WSTG.

I do not agree that API recon should be integrated with the regular recon, often we are focusing on a specific area - api, a web site, a specific endpoint. And having to sift through other documents for content specific to our case is, well, a pain.

What I do agree on is providing references to the existing document where applicable and diverging where it is specific to the API case.

Secondly there's quite a lot of tools listed here, including several I've not heard of, and some that seem to be unsupported

I think this can also be said for other parts of the WSTG. The ones I have listed are tools I use and still find useful.

kingthorin commented 2 months ago

[!Note] I'm assuming the links I've added in suggested edits are good. I haven't had a chance to test/check them.

Also note that GitHub web UI may be hiding some comments/suggestions: image

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

github-actions[bot] commented 1 month ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md [✖] ../%5B01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage.md → Status: 400

kingthorin commented 1 month ago

:warning: Before making further changes :warning:

Please ensure you've done the following (with the Add-API-Recon branch checked out):

git fetch origin
git reset --hard origin/Add-API-Recon