Setting up an API pentesting environment

This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali.

Setting up Burp

1. Download Jython
   

   Head over to https://www.jython.org/download.html and download the latest Jython standalone installer.

2. Set the Python Environment path
   

   Set the downloaded Jython installer as the Python Environment path.

   

3. Install the Autorize extension
   

   Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension.

Install FoxyProxy

With Firefox open, press Ctrl + Shift + A to open the add-ons menu.

1. Search for FoxyProxy Standard
   

   

2. Add FoxyProxy to Firefox
   

   

3. Navigate to FoxyProxy options
   

   

4. Add Burp to FoxyProxy
   

   

5. Add Postman to FoxyProxy
   

   

Configure Burp Suite Certificate

1. Start Burp
2. With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate.
3. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate.

   

4. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files').

   

Postman

1. Download Postman
   

   sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz

2. Extract and install Postman
   

   sudo tar -xvzf postman-linux-x64.tar.gz

3. Link the postman command
   

   sudo ln -s ~/Postman/Postman /usr/bin/postman

mitmproxy2swagger

1. Install mitmproxy2swagger
   

   sudo pip3 install mitmproxy2swagger

Git

1. Install Git
   

   sudo apt install git

Docker

1. Install Docker
   

   sudo apt install docker-compose
sudo apt install docker.io

Golang

1. Install Golang
   

   sudo apt install golang-go

At this point a restart may be required.

JWT Tool

1. Pull down the JWT Tool repo
   

   sudo git clone https://github.com/ticarpi/jwt_tool.git

2. Install JWT Tool
   

   cd jwt_tool
python3 -m pip install termcolor cprint pycryptodomex requests
sudo chmod +x jwt_tool.py
sudo ln -s ~/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

Kiterunner

1. Pull down the Kiterunner repo
   

   sudo git clone https://github.com/assetnote/kiterunner.git

2. Install Kiterunner
   

   cd kiterunner
sudo make build
cd dist
sudo ln -s ~/kiterunner/dist/kr /usr/bin/kr

Arjun

1. Pull down the Arjun repo
   

   sudo git clone https://github.com/s0md3v/Arjun.git

2. Install Arjun
   

   cd Arjun
sudo python3 setup.py install

ZAProxy

1. Install ZAProxy
   

   sudo apt install zaproxy

2. Update OpenAPI add-on
   

   

Follow Jacob Riggs

Jacob Riggs

Jacob Riggs is a senior cyber security professional based in the UK with over a decade of experience working to improve the cyber security of various private, public, and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F