AppSecNotes
Content Discovery or Enumeration
  • Is there a "/admin", "/admin-panel", "administrator-panel" or "robots.txt"? Check manually. If "robots.txt" exists try all listed endpoints.
  • Run dirsearch or ffuf.
  • Discovery via Source code (Inspector tab): search in files for endpoints and secrets with your browser tools.
  • Check all responses to see if they contain any URLs.
  • Document the entire attack surface. If time allows, it might be a good idea to create a Postman collection for the API endpoints.
Fuzzing
  1. Fuzz with dirsearch or ffuf for directories in interesting open ports.
  2. Consider searching only for certain file types that make sense for the tech stack of the website.
  3. If you found API docs search there.
  4. If you see a V2 in the URL check if there is a prior API version (e.g. V1, V0, beta, alpha, etc.) working. When getting a match, check response Content-Length to see if the data returned by both API versions is the same. You might find vulnerable endpoints in older versions of an API.
  5. Fuzz parameter names to find new parameters.