Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • String Terminators
  • Case Switching
  • Encoding Payloads
  • Payload Processing with Burp Suite
  1. Pentesting
  2. WEP-Pen
  3. API-Pen

Evasive Maneuvers

Many APIs in the wild will not be exploited as easily as the deliberately vulnerable applications encountered in this course. Security controls such as web application firewalls (WAFs) and rate limiting can block attacks. These controls may vary from one API provider to another but typically have thresholds for malicious activity that trigger responses. Common triggers for WAFs include:

  • Too many requests for resources that do not exist

  • Too many requests within a certain time frame

  • Common attack attempts (e.g., SQL injection, XSS)

  • Abnormal behavior (e.g., tests for authorization vulnerabilities)

Evading security controls requires trial and error, as some may not advertise their presence with response headers and may wait for missteps. Below are effective measures for evading or bypassing restrictions.

String Terminators

String terminators can disrupt API security controls by terminating the processing of input. Common string terminators include:

  • %00

  • 0x00

  • //

  • ;

  • %

  • !

  • ?

  • []

  • %5B%5D

  • %09

  • %0a

  • %0b

  • %0c

  • %0e

These can be strategically placed in different parts of the request, such as the path or POST body. For example, in the following injection attack:

POST /api/v1/user/profile/update
{
  "uname": "hapihacker",
  "pass": "%00'OR 1=1"
}

The null byte can bypass input validation measures.

Case Switching

When security controls rely on the literal spelling and case of components, case switching can effectively bypass these controls. For example, in a POST request targeting an IDOR attack against a uid parameter:

POST /api/myprofile 
{uid=§0001§}

If the API has rate limiting set to 100 requests per minute, you could manipulate the case to create variations:

POST /api/myProfile
POST /api/MyProfile
POST /aPi/MypRoFiLe

These different path iterations might cause the API to handle requests differently, allowing you to bypass rate limiting. Using tools like Burp Suite’s Pitchfork attack can help pair attacks with brute-force attempts efficiently.

Encoding Payloads

Encoding payloads can help evade WAFs by altering how payloads are processed. Even if certain characters or strings are blocked, encoded versions may pass undetected. For instance:

  • URL Encoded Payload: %27%20%4f%52%20%31%3d%31%3b

  • Double URL Encoded Payload: %25%32%37%25%32%30%25%34%66%25%35%32%25%32%30%25%33%31%25%33%64%25%33%31%25%33%62

The double encoding might slip past a WAF’s detection.

Payload Processing with Burp Suite

Once a WAF bypass method is discovered, Burp Suite’s Intruder can automate evasive attacks. The Payload Processing feature allows you to add rules to each payload before sending.

For instance, if you need to add null bytes before and after a URL-encoded payload, your processing rules should be set to apply encoding first, followed by adding null bytes. An example of processed payloads:

POST /api/v3/user?id=%00%75%6e%64%65%66%69%6e%65%64%00
POST /api/v3/user?id=%00%75%6e%64%65%66%00
POST /api/v3/user?id=%00%28%6e%75%6c%6c%29%00

Ensure the payloads have been processed correctly by reviewing the attack results.

Evasion with Wfuzz

Wfuzz offers capabilities for payload processing, including encoding options. To see available encoders, use:

wfuzz -e encoders

A sample command to use an encoder:

wfuzz -z file,wordlist/api/common.txt,base64 http://hapihacker.com/FUZZ

This command would base64-encode every payload before sending. You can also combine encoders, such as:

wfuzz -z list,TEST,base64-md5-none

This would result in multiple encoded versions of the payload. For example:

wfuzz -z list,a-b-c,base64-md5-none -u http://hapihacker.com/api/v2/FUZZ
PreviousInjection Attacks in APINextGraphQL Vulnerabilities

Last updated 4 months ago