API Authentication is not possible?

[danilobasanta]

API Authentication is not possible? The most API evaluation requires previus authentication to consume many other functions...

[thenorthernpole]

I am sorry, I haven't got a notification about this issue, and thus am responding only now. Could you please give an example?

[0x3f8]

An example would be calling the API and providing a cookie or in many cases a bearer token in the headers such as in this sample request

GET /dev HTTP/1.1
Host: some.api.endpoint.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Connection: close
Upgrade-Insecure-Requests: 1

As a side note: you can run the app through the burp proxy and inject the headers. There are options to capture cookies and extensions to inject other headers as needed, so it's a workaround.

[thenorthernpole]

Will implement. Any preferred way to specify the headers/query params? (such security tokens may appear also in query params). I thought of a cURL-like way.

[0x3f8]

I have no preferences but a cURL like way would be convenient and lower the barrier of entry for anyone already familiar with that tool :)

Thanks for the quick response!