0x136 - API Scanning Automation FTW
If you are into API pentesting, automation and scanning - this post is for you.
Here's a quick guide on how to use Nuclei, Docker, OpenAPI Documentations and Burp to automate the scanning process.
The pipeline looks like this:
Run Nuclei in Docker -> Use Nuclei -input-mode
to scan endpoints parsed from OpenAPI Document -> Proxy the requests through Burp -> Inject the Authorization/Cookies on the fly -> Combine with Burp Extensions -> Review results in Nuclei console & Burp History
How to do it
Obtain the OpenAPI documentation of your target - either the API provides this on their documentation website, or you can search for it on SwaggerHub, or you can use a "API reverse engineering" tool like Burp2API or Postman Interceptor. I suggest using OpenAPI version 3 because Nuclei will look for the "servers" tag within the documentation, and version 2 don't have it
-
Set up Burp listening interfaces - if we want to proxy traffic from Nuclei Docker through the Burp instance that runs on our host OS we have to make sure that Burp listens to all interfaces as shown below
-
Pull Nuclei Docker image and run the container - for this I use DockerDesktop on Windows and run the command within its terminal. The
host.docker.internal
in the-proxy
is how we tell Docker to use the Host as a proxy. If you use Windows/Linux you won't have to change itdocker run --rm -v "C:\path\to\openapi.json:/openapi.json" projectdiscovery/nuclei -l /openapi.json -im openapi -V "Authorization=123" -skip-format-validation -proxy http://host.docker.internal:8080
-
Update the API Servers - open the OpenAPI Documentation and search for the
servers
tag -> make sure to set the domain where the API is hosted:"servers":[{"url":"https://api.example.com"},{"url":"https://api.us-east-2.test.example.cloud"},{"url":"http://localhost:8000"}]
Update the volume path -
-v "C:\path\to\openapi.json:/openapi.json"
) to match the place where you saved the OpenAPI documentation on the host OSUpdate the variables values - add/remove the variables (
-V "Authorization=123"
) based on your OpenAPI requirements. Additionally you can add the-skip-format-validation
flag. Nuclei will throw an error if it can't find a mandatory variableMatch & Replace in Burp - Add a
match & replace
rule in Burp to inject yourAuthorization
tokens, CSRF tokens and any other HTTP header that may be required. For whatever reason the-V "Authorization=123"
didn't do that, but we can use Burp -> Automodifying Requests on the FlyEnable Burp Extensions - before you proceed with the Nuclei scan, you can also enable Collaborator Everywhere and Autorize to increase chances of finding SSRF and Broken Authorization/Authentication vulnerabilities
Now you should have all the endpoints documented in the OpenAPI file automatically tested by Nuclei & Burp Extensions