Back

Setting up an API pentesting environment

Your vote is:
4.92 of 92 votes

This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali.

Setting up Burp

  1. Download Jython

    Head over to https://www.jython.org/download.html and download the latest Jython standalone installer.

  2. Set the Python Environment path

    Set the downloaded Jython installer as the Python Environment path.

    Burp Python Environment path

  3. Install the Autorize extension

    Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension.

Install FoxyProxy

With Firefox open, press Ctrl + Shift + A to open the add-ons menu.

  1. Search for FoxyProxy Standard

    FoxyProxy Search

  2. Add FoxyProxy to Firefox

    FoxyProxy Install

  3. Navigate to FoxyProxy options

    FoxyProxy Options

  4. Add Burp to FoxyProxy

    FoxyProxy Add Burp

  5. Add Postman to FoxyProxy

    FoxyProxy Add Burp

Configure Burp Suite Certificate

  1. Start Burp
  2. With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate.
  3. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate.

    Firefox Import Burp CA

  4. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files').

    Chrome Import Burp CA

Postman

  1. Download Postman

    sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz

  2. Extract and install Postman

    sudo tar -xvzf postman-linux-x64.tar.gz

  3. Link the postman command

    sudo ln -s ~/Postman/Postman /usr/bin/postman

mitmproxy2swagger

  1. Install mitmproxy2swagger

    sudo pip3 install mitmproxy2swagger

Git

  1. Install Git

    sudo apt install git

Docker

  1. Install Docker

    sudo apt install docker-compose
    sudo apt install docker.io

Golang

  1. Install Golang

    sudo apt install golang-go

At this point a restart may be required.

JWT Tool

  1. Pull down the JWT Tool repo

    sudo git clone https://github.com/ticarpi/jwt_tool.git

  2. Install JWT Tool

    cd jwt_tool
    python3 -m pip install termcolor cprint pycryptodomex requests
    sudo chmod +x jwt_tool.py
    sudo ln -s ~/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

Kiterunner

  1. Pull down the Kiterunner repo

    sudo git clone https://github.com/assetnote/kiterunner.git

  2. Install Kiterunner

    cd kiterunner
    sudo make build
    cd dist
    sudo ln -s ~/kiterunner/dist/kr /usr/bin/kr

Arjun

  1. Pull down the Arjun repo

    sudo git clone https://github.com/s0md3v/Arjun.git

  2. Install Arjun

    cd Arjun
    sudo python3 setup.py install

ZAProxy

  1. Install ZAProxy

    sudo apt install zaproxy

  2. Update OpenAPI add-on

    ZAProxy Update OpenAPI

ABOUT THE AUTHOR

Jacob Riggs

Jacob Riggs is a Security Lead based in the UK with almost a decade of experience working to improve the cyber security of media and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F


Subscribe to my Blog


I agree with the Privacy Policy terms.
Loading...
.