0x136 - API Scanning Automation FTW

If you are into API pentesting, automation and scanning - this post is for you.

Here's a quick guide on how to use Nuclei, Docker, OpenAPI Documentations and Burp to automate the scanning process.

The pipeline looks like this:

Run Nuclei in Docker -> Use Nuclei -input-mode to scan endpoints parsed from OpenAPI Document -> Proxy the requests through Burp -> Inject the Authorization/Cookies on the fly -> Combine with Burp Extensions -> Review results in Nuclei console & Burp History

How to do it

  1. Obtain the OpenAPI documentation of your target - either the API provides this on their documentation website, or you can search for it on SwaggerHub, or you can use a "API reverse engineering" tool like Burp2API or Postman Interceptor. I suggest using OpenAPI version 3 because Nuclei will look for the "servers" tag within the documentation, and version 2 don't have it

  2. Set up Burp listening interfaces - if we want to proxy traffic from Nuclei Docker through the Burp instance that runs on our host OS we have to make sure that Burp listens to all interfaces as shown below

  1. Pull Nuclei Docker image and run the container - for this I use DockerDesktop on Windows and run the command within its terminal. The host.docker.internal in the -proxy is how we tell Docker to use the Host as a proxy. If you use Windows/Linux you won't have to change it

    docker run --rm -v "C:\path\to\openapi.json:/openapi.json" projectdiscovery/nuclei -l /openapi.json -im openapi -V "Authorization=123" -skip-format-validation -proxy http://host.docker.internal:8080
  2. Update the API Servers - open the OpenAPI Documentation and search for the servers tag -> make sure to set the domain where the API is hosted:

    "servers":[{"url":"https://api.example.com"},{"url":"https://api.us-east-2.test.example.cloud"},{"url":"http://localhost:8000"}]
  3. Update the volume path - -v "C:\path\to\openapi.json:/openapi.json") to match the place where you saved the OpenAPI documentation on the host OS

  4. Update the variables values - add/remove the variables (-V "Authorization=123") based on your OpenAPI requirements. Additionally you can add the -skip-format-validation flag. Nuclei will throw an error if it can't find a mandatory variable

  5. Match & Replace in Burp - Add a match & replace rule in Burp to inject your Authorization tokens, CSRF tokens and any other HTTP header that may be required. For whatever reason the -V "Authorization=123" didn't do that, but we can use Burp -> Automodifying Requests on the Fly

  6. Enable Burp Extensions - before you proceed with the Nuclei scan, you can also enable Collaborator Everywhere and Autorize to increase chances of finding SSRF and Broken Authorization/Authentication vulnerabilities

Now you should have all the endpoints documented in the OpenAPI file automatically tested by Nuclei & Burp Extensions