Merge pull request #299 from g0tmi1k/Fixes

Source: https://github.com/chrislockard/api_wordlist

CONTRIBUTORS.md

@@ -29,5 +29,6 @@
 - @coldfusion39 for **domi-owned** (https://github.com/coldfusion39/domi-owned) [`./Discovery/Web-Content/domino-*-coldfusion39.txt`]
 - Ella Rose (@erose1337) for **security-question-answers** (https://github.com/erose1337/penetration_testing/tree/master/data) [`./Miscellaneous/security-question-answers/`]
 - @D35m0nd142 for **LFISuite** (https://github.com/D35m0nd142/LFISuite) [`./Fuzzing/LFI-LFISuite-pathtotest*.txt`]
+- @chrislockard for **api_wordlist** (https://github.com/chrislockard/api_wordlist) [`./Discovery/Web-Content/api/`]
 
 This project stays great because of care and love from the community, and we will never forget that. If you know of a contribution that is not listed above, please let us know...

Discovery/Web-Content/api/README.md

@@ -0,0 +1,23 @@
+# api_wordlist
+A wordlist of API names used for fuzzing web application APIs.
+
+## Contents
+* api_seen_in_wild.txt - This contains API function names I've seen in the wild.
+* actions.txt - All API function name verbs
+* objects.txt - All API function name nouns
+* actions-uppercase.txt - API function name verbs with leading character upper-case
+* actions-lowercase.txt - API function name verbs with leading character lower-case
+* objects-uppercase.txt - API function name nouns with leading character upper-case
+* objects-lowercase.txt - API function name nouns with leading character lower-case
+
+## Usage
+ 1. In burpsuite, send an API request you want to fuzz to Intruder. 
+ 2. Remove the existing API function call, and replace it with two § characters for each text file you want to use.
+ 3. On the "Positions" tab, set Attack type to "Cluster Bomb".
+ 4. On the "Payloads" tab, select 1 for the fist Payload set drop-down, then select a Payload type of "Runtime file" and navigate to the directory you downloaded these text files to. Select "actions.txt".
+ 5. Repeat step 4 by setting Payload set 2 to "objects.txt".
+ 6. (optional step - add more payload sets and set them to "objects.txt" to test for multi-part objects like "UserAccount")
+ 7. Start attack!
+
+## Comments
+If you use this and it's helpful, I'd love to hear about it! (@dagorim). If you think I've missed any obvious word choices, I'd love to hear about that as well, or feel free to add them.

Discovery/Web-Content/api/actions-lowercase.txt

@@ -0,0 +1,109 @@
+accelerate
+acquire
+activate
+adapt
+add
+adjust
+admin
+alert
+annotate
+anticipate
+apply
+arrange
+build
+calculate
+change
+claim
+collect
+comm
+communicate
+compare
+complete
+compose
+compute
+consolidate
+construct
+contact
+create
+crush
+damage
+def
+define
+del
+deliver
+demo
+demonstrate
+dequeue
+derive
+design
+destroy
+detect
+dev
+develop
+devise
+disable
+display
+divide
+doFor
+download
+enable
+explode
+fabricate
+fashion
+forge
+form
+generate
+get
+go
+group
+improve
+inform
+inquiry
+interpret
+kill
+level
+link
+list
+make
+map
+mod
+multiply
+originate
+picture
+post
+preserve
+produce
+promote
+put
+queue
+quit
+reactivate
+read
+recite
+record
+register
+remove
+restore
+restrict
+retrieve
+run
+select
+set
+setup
+show
+sleep
+split
+start
+stop
+study
+sub
+terminate
+test
+understand
+undo
+unqueue
+update
+upload
+upset
+validate
+verify

Discovery/Web-Content/api/actions-uppercase.txt

@@ -0,0 +1,109 @@
+Accelerate
+Acquire
+Activate
+Adapt
+Add
+Adjust
+Admin
+Alert
+Annotate
+Anticipate
+Apply
+Arrange
+Build
+Calculate
+Change
+Claim
+Collect
+Com
+Communicate
+Compare
+Complete
+Compose
+Compute
+Consolidate
+Construct
+Contact
+Create
+Crush
+Damage
+Def
+Define
+Del
+Deliver
+Demo
+Demonstrate
+Dequeue
+Derive
+Design
+Destroy
+Detect
+Dev
+Develop
+Devise
+Disable
+Display
+Divide
+DoFor
+Download
+Enable
+Explode
+Fabricate
+Fashion
+Forge
+Form
+Generate
+Get
+Go
+Group
+Improve
+Inform
+Inquiry
+Interpret
+Kill
+Level
+Link
+List
+Make
+Map
+Mod
+Multiply
+Originate
+Picture
+Post
+Preserve
+Produce
+Promote
+Put
+Queue
+Quit
+Reactivate
+Read
+Recite
+Record
+Register
+Remove
+Restore
+Restrict
+Retrieve
+Run
+Select
+Set
+Setup
+Show
+Sleep
+Split
+Start
+Stop
+Study
+Sub
+Terminate
+Test
+Understand
+Undo
+Unqueue
+Update
+Upload
+Upset
+Validate
+Verify

Discovery/Web-Content/api/actions.txt

@@ -0,0 +1,222 @@
+accelerate
+Accelerate
+acquire
+Acquire
+activate
+Activate
+adapt
+Adapt
+add
+Add
+adjust
+Adjust
+admin
+Admin
+alert
+Alert
+annotate
+Annotate
+anticipate
+Anticipate
+apply
+Apply
+arrange
+Arrange
+build
+Build
+calculate
+Calculate
+change
+Change
+claim
+Claim
+collect
+Collect
+Com
+comm
+communicate
+Communicate
+compare
+Compare
+complete
+Complete
+compose
+Compose
+compute
+Compute
+consolidate
+Consolidate
+construct
+Construct
+contact
+Contact
+create
+Create
+crush
+Crush
+damage
+Damage
+def
+Def
+define
+Define
+del
+Del
+deliver
+Deliver
+demo
+Demo
+demonstrate
+Demonstrate
+dequeue
+Dequeue
+derive
+Derive
+design
+Design
+destroy
+Destroy
+detect
+Detect
+dev
+Dev
+develop
+Develop
+devise
+Devise
+disable
+Disable
+display
+Display
+divide
+Divide
+doFor
+DoFor
+download
+Download
+enable
+Enable
+explode
+Explode
+fabricate
+Fabricate
+fashion
+Fashion
+forge
+Forge
+form
+Form
+generate
+Generate
+get
+Get
+go
+Go
+group
+Group
+improve
+Improve
+inform
+Inform
+inquiry
+Inquiry
+interpret
+Interpret
+kill
+Kill
+latest
+Latest
+level
+Level
+link
+Link
+list
+List
+make
+Make
+map
+Map
+mod
+Mod
+multiply
+Multiply
+originate
+Originate
+picture
+Picture
+post
+Post
+preserve
+Preserve
+produce
+Produce
+promote
+Promote
+put
+Put
+queue
+Queue
+quit
+Quit
+reactivate
+Reactivate
+read
+Read
+recite
+Recite
+record
+Record
+recursive
+Recursive
+register
+Register
+remove
+Remove
+restore
+Restore
+restrict
+Restrict
+retrieve
+Retrieve
+run
+Run
+select
+Select
+set
+Set
+setup
+Setup
+show
+Show
+sleep
+Sleep
+split
+Split
+start
+Start
+stop
+Stop
+study
+Study
+sub
+Sub
+terminate
+Terminate
+test
+Test
+understand
+Understand
+undo
+Undo
+unqueue
+Unqueue
+update
+Update
+upload
+Upload
+upset
+Upset
+Validate
+validate
+Verify
+verify

Discovery/Web-Content/api/common_paths.txt

@@ -0,0 +1,33 @@
+/api/v1/account/accounts
+/api/v1/account/accounts/summaries
+/api/v1/account/oauth/token
+/api/v1/account/oauth/ticket
+/api/v1/account/permissions
+/api/v1/account/user
+/api/v1/account/user/assets
+/api/v1/account/user/delete
+/api/v1/account/user/profile
+/api/v1/account/user/register
+/api/v1/account/user/resend-verification
+/api/v1/account/user/verify
+/api/v1/account/userAccountAssignments
+/api/v1/account/userPreferences
+/api/v1/account/users
+/api/v1/account/users/password
+/api/v1/account/users/summaries
+/api/v1/asset/asset
+/api/v1/asset/assets
+/api/v1/common/accounts
+/api/v1/common/connections
+/api/v1/common/notifications
+/api/v1/common/preferences
+/api/v1/common/users/password
+/api/v1/delta/deviceCatalog/devices
+/api/v1/delta/deviceCatalog/deviceTypes
+/api/v1/delta/deviceCatalog/manufacturers
+/api/v1/delta/monitoring/accounts/
+/api/v1/delta/order
+/api/v1/delta/userAssets
+/api/v1/history/history
+/api/v1/monitoring/accounts
+/api/v1/monitoring/address-check

Discovery/Web-Content/api/objects-lowercase.txt

@@ -0,0 +1,82 @@
+account
+accounts
+amount
+balance
+balances
+bar
+baz
+bio
+bios
+channel
+chart
+company
+contract
+coordinate
+credentials
+creds
+custom
+customer
+customers
+details
+dir
+directory
+dob
+email
+employee
+foo
+form
+github
+gmail
+group
+history
+image
+info
+item
+job
+link
+links
+location
+log
+login
+logins
+logs
+map
+member
+members
+money
+my
+name
+names
+option
+options
+pass
+password
+passwords
+phone
+picture
+pin
+post
+prod
+production
+profile
+profiles
+record
+sale
+sales
+set
+setting
+settings
+setup
+site
+theme
+twitter
+union
+url
+user
+username
+users
+vendor
+vendors
+website
+work
+yahoo

Discovery/Web-Content/api/objects-uppercase.txt

@@ -0,0 +1,82 @@
+Account
+Accounts
+Amount
+Balance
+Balances
+Bar
+Baz
+Bio
+Bios
+Channel
+Chart
+Company
+Contract
+Coordinate
+Credentials
+Creds
+Custom
+Customer
+Customers
+Details
+Dir
+Directory
+DOB
+Email
+Employee
+Foo
+Form
+Github
+Gmail
+Group
+History
+Image
+Info
+Item
+Job
+Link
+Links
+Location
+Log
+Login
+Logins
+Logs
+Map
+Member
+Members
+Money
+My
+Name
+Names
+Option
+Options
+Pass
+Password
+Passwords
+Phone
+Picture
+PIN
+Post
+Prod
+Production
+Profile
+Profiles
+Record
+Sale
+Sales
+Set
+Setting
+Settings
+Setup
+Site
+Theme
+Twitter
+Union
+Url
+User
+Username
+Users
+Vendor
+Vendors
+Website
+Work
+Yahoo