Is Nuclei any good for API hacking? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | #hacking | #aihp

When hacking an API, you will be looking deeper at a target. Sure, if you are working within the scope of a popular bug bounty program, the production instances have probably been scanned. But as you start looking for dev, test, and staging instances through VHOST discovery or deeper subdomain enumeration (maybe with the help of AI), there is a good chance those targets haven’t been scanned yet.

On top of that, Nuclei has more capabilities than simply looking for known vulns that are described in their CVE templates. Let’s explore some of the ways Nuclei can help you during your API security testing.

Detecting technology in use

I’m a big fan of determining what technology and programming language is in use on a target you are looking to attack. Nuclei has some great templates that can help with that. It can detect the web server delivering content, the language being used, and even the type of WAF that might be in play.

And that is just a few of the hundreds of checks it can do.

Getting Nuclei to do this detection is as simple as:

nuclei -u TARGET_HOST -t http/technologies/

Finding secondary apps that might get you a foothold

Getting a foothold on a server hosting an API can be quite valuable to you. Gaining access to API artifacts helps with the ability to reverse engineer it and trace API exploitability through code review and taint analysis.

Nuclei can help here.

As part of its scanning, it looks for common login pages, admin panels, and portals. Using it is as simple as:

nuclei -u TARGET_HOST -t http/exposed-panels/

Advanced app detection

To be honest, I like to look for exposed secondary apps a bit differently than the norm.

Usually, I start by conducting a Nmap scan on the target, listening to every port that responds. I then create a targets.txt file based on what is detected since many secondary portals may be hosted on alternate ports.

Finally, I also use the -silent switch, so I only get the results I am after.

It ends up looking something like this:

nuclei -l targets.txt -t http/exposed-panels/ -silent

Testing leaked API tokens

During your recon, you might come across potentially leaked API keys that seem to be lying around. Especially when conducting your reverse engineering methodology.

This may be hardcoded into the source code of the API itself. Or pulled from environment variables or other configuration data. Wherever it may be coming from, once you have identified these keys, the next question you will want to answer is: what service does this key belong to, and is it valid?

Nuclei has you covered there too, with a set of self-contained templates called token-spray.

The Token-Spray templates include hundreds of checks against common services that rely on API tokens. It will literally take a token passed in and spray it against all the different services mapped in the templates to see if it works. If it does, it lets you know that it is valid and where.

So the next time you stumble upon a potentially leaked token, test it with Nuclei:

nuclei -t http/token-spray/ -var token=SOMETOKEN

Burp integration with Nuclei

If you are hacking APIs with Burp Suite you can integrate Nuclei into that, too.

Let me show you how.

Step 1: Install the Nuclei extension

There is a free community-built Nuclei Burp Suite extension that can be installed directly from the BApp store.

Go to Extensions > BApp Store and simply search for “nuclei”.

Click “Nuclei Burp Integration” and hit “Install”.

Now time to configure it.

Step 2: Configure Burp to use Nuclei

After installation, you should now see a new Nuclei tab. It will prompt you to configure where the Nuclei binary is located and where the templates reside.

To determine where the nuclei binary is installed on your host, you can simply run `which nuclei` from your command shell.

There is also an option to set custom nuclei arguments. This is a great place to tell Nuclei to route all requests through Burp Suite’s attack proxy.

Step 3: Call Nuclei from within Burp

Now it’s time to see what Nuclei can do in Burp.

Locate an interesting URL in your Burp Proxy History that you want to run Nuclei against. Right-click on that request and select Extensions > Nuclei Burp Integration > Send URL to Nuclei Scanner.

Now head back to the Nuclei tab. Notice how the URL is now populated in the “Target” field. Hit the “Run Scanning” button, and watch Nuclei spring into action.

You should see a new subtab showing content from Nuclei.

You will also start to see items populating directly into the Burp Issues panel. This may include some false positives, as crafted payloads from Nuclei trigger Burp’s own web vulnerability scanner.

That’s OK. It’s better to get the cross-referenced results anyway.

Conclusion

As you can see, Nuclei can indeed help you during your API hacking.

It can help detect the technology and programming language(s) in use. Find secondary apps hosted on the same infrastructure that might help you get a foothold. And even test potentially leaked API tokens through token spraying.

And that is just a few things it can do.

On top of that, you also get all the benefits from all the other community-driven templates that might help you detect known vulnerabilities that others may have missed.

So give it a try for yourself. You might be surprised how Nuclei can help.

One last thing…

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.

The post Is Nuclei any good for API hacking? appeared first on Dana Epp’s Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp’s Blog authored by Dana Epp. Read the original post at: https://danaepp.com/is-nuclei-any-good-for-api-hacking