daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initialize api templates

patch-1
zzeitlin@bishopfox.com 2021-10-01 14:33:51 +00:00
parent 4682d7b790
commit 0eec0ff2b4
65 changed files with 1516 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
apis/README.md Normal file
View File

@ -0,0 +1,16 @@
## About
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By placing the token in `token.txt`, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `apis` directory assumes the input API token will be placed in a file called `token.txt`. The `token.txt` file can exist in your current working directory or in the same directory as the template `yaml` file.
```bash
# Input the token into token.txt:
$ echo -n "thisIsMySecretTokenThatIWantToTest" > token.txt
# Run Nuclei specifying all the api templates:
$ nuclei -u "null" -t ./nuclei-templates/apis/
```
## Credits
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations.

24
apis/asana.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-asana
info:
name: Asana API Test
author: zzeitlin
reference: https://developers.asana.com/docs/using-terminal
severity: info
tags: api,asana
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://app.asana.com/api/1.0/users/me"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 401
negative: true

23
apis/bingmaps.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-bingmaps
info:
name: Bing Maps API Test
author: zzeitlin
reference: https://docs.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address
severity: info
tags: api,bing,maps,bingmaps
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://dev.virtualearth.net/REST/v1/Locations?CountryRegion=US&adminDistrict=WA&locality=Somewhere&postalCode=98001&addressLine=100%20Main%20St.&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'ValidCredentials'

24
apis/bitly.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-bitly
info:
name: Bitly API Test
author: zzeitlin
reference: https://dev.bitly.com/api-reference
severity: info
tags: api,bitly
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api-ssl.bitly.com/v3/shorten?access_token={{token}}&longUrl=https://www.google.com"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
negative: true
words:
- 'INVALID_ARG_ACCESS_TOKEN'

24
apis/buildkite.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-buildkite
info:
name: Buildkite API Test
author: zzeitlin
reference: https://buildkite.com/docs/apis/rest-api/user
severity: info
tags: api,buildkite
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.buildkite.com/v2/user"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 401
negative: true

23
apis/buttercms.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-buttercms
info:
name: ButterCMS API Test
author: zzeitlin
reference: https://buttercms.com/docs/api/#introduction
severity: info
tags: api,buttercms
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.buttercms.com/v2/posts/?auth_token={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 401
negative: true

23
apis/calendly.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-calendly
info:
name: Calendly API Test
author: zzeitlin
reference: https://calendly.stoplight.io/docs/api-docs-v1/b3A6MTg3MDczNg-about-me
severity: info
tags: api,calendly
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://calendly.com/api/v1/users/me"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
X-Token: "{{token}}"
matchers:
- type: status
status:
- 200

22
apis/circleci.yaml Normal file
View File

@ -0,0 +1,22 @@
id: api-circleci
info:
name: CircleCI API Test
author: zzeitlin
reference: https://circleci.com/docs/api/v1
severity: info
tags: api,circle,circleci
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://circleci.com/api/v1.1/me?circle-token={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

25
apis/deviantart.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-deviantart
info:
name: DeviantArt API Test
author: zzeitlin
reference: https://www.deviantart.com/developers/authentication
severity: info
tags: api,deviantart
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://www.deviantart.com/api/v1/oauth2/placebo"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
body: "access_token={{token}}"
matchers:
- type: word
part: body
words:
- '"status":"error"'
negative: true

23
apis/dropbox.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-dropbox
info:
name: Dropbox API Test
author: zzeitlin
reference: https://www.dropbox.com/developers/documentation/http/documentation
severity: info
tags: api,dropbox
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://api.dropboxapi.com/2/users/get_current_account"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 200

24
apis/github.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-github
info:
name: GitHub API Test
author: zzeitlin
reference: https://docs.github.com/en/rest/reference/users
severity: info
tags: api,github
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.github.com/user"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Basic {{base64('user:' + token)}}
matchers:
- type: word
part: body
words:
- 'login'

23
apis/googleautocomplete.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googleautocomplete
info:
name: Google Autocomplete API Test
author: zzeitlin
severity: info
tags: api,google,autocomplete
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googlecustomsearch.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlecustomsearch
info:
name: Google Custom Search API Test
author: zzeitlin
severity: info
tags: api,google,search
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.googleapis.com/customsearch/v1?cx=017576662512468239146:omuauf_lfve&q=lectures&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

24
apis/googledirections.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-googledirections
info:
name: Google Directions API Test
author: zzeitlin
severity: info
tags: api,google,directions
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googleelevation.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googleelevation
info:
name: Google Elevation API Test
author: zzeitlin
severity: info
tags: api,google,elevation
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

24
apis/googlefcm.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-googlefcm
info:
name: Google FCM API Test
author: zzeitlin
severity: info
tags: api,google,fcm,firebase,cloud,messaging
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://fcm.googleapis.com/fcm/send"
redirects: false
body: "{'registration_ids':['ABC']}"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: key={{token}}
Content-Type: application/json
matchers:
- type: status
status:
- 200

23
apis/googlefindplacefromtext.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlefindplacefromtext
info:
name: Google Find Place From Text API Test
author: zzeitlin
severity: info
tags: api,google,find,text
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googlegedistancematrix.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googledistancematrix
info:
name: Google Distance Matrix API Test
author: zzeitlin
severity: info
tags: api,google,distance,matrix
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googlegeocode.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlegeocode
info:
name: Google Geocode API Test
author: zzeitlin
severity: info
tags: api,google,geocode
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

28
apis/googlegeolocation.yaml Normal file
View File

@ -0,0 +1,28 @@
id: api-googlegeolocation
info:
name: Google Geolocation API Test
author: zzeitlin
severity: info
tags: api,google,geolocation
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'error'
negative: true
- type: status
status:
- 404
negative: true

21
apis/googlemapsembed.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-googlemapsembed
info:
name: Google Maps Embed API Test
author: zzeitlin
severity: info
tags: api,google,maps,embed
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.google.com/maps/embed/v1/place?q=Seattle&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

21
apis/googlemapsembedadvanced.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-googlemapsembedadvanced
info:
name: Google Maps Embed (Advanced) API Test
author: zzeitlin
severity: info
tags: api,google,maps,embed
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

23
apis/googlenearbysearch.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlenearbysearch
info:
name: Google Nearby Search API Test
author: zzeitlin
severity: info
tags: api,google,search,nearby
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-33.8670522,151.1957362&radius=100&types=food&name=harbour&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googlenearestroads.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlenearestroads
info:
name: Google Nearest Roads API Test
author: zzeitlin
severity: info
tags: api,google,roads
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795|60.170879,24.942796|60.170877,24.942796&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

23
apis/googleplacedetails.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlespeedlimit
info:
name: Google Place Details API Test
author: zzeitlin
severity: info
tags: api,google,place,details
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/details/json?place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

21
apis/googleplacesphoto.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-googleplacesphoto
info:
name: Google Places Photo API Test
author: zzeitlin
severity: info
tags: api,google,places,photo
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/photo?maxwidth=400&photoreference=CnRtAAAATLZNl354RwP_9UKbQ_5Psy40texXePv4oAlgP4qNEkdIrkyse7rPXYGd9D_Uj1rVsQdWT4oRz4QrYAJNpFX7rzqqMlZw2h2E2y5IKMUZ7ouD_SlcHxYq1yL4KbKUv3qtWgTK0A6QbGh87GB3sscrHRIQiG2RrmU_jF4tENr9wGS_YxoUSSDrYjWmrNfeEHSGSc3FyhNLlBU&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 302

23
apis/googleplayablelocations.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googleplayablelocations
info:
name: Google Playable Locations API Test
author: zzeitlin
severity: info
tags: api,google,playable,locations
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://playablelocations.googleapis.com/v3:samplePlayableLocations?key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

23
apis/googleroutetotraveled.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googleroutetotraveled
info:
name: Google Route to Traveled API Test
author: zzeitlin
severity: info
tags: api,google,route
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://roads.googleapis.com/v1/snapToRoads?path=-35.27801,149.12958|-35.28032,149.12907&interpolate=true&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

23
apis/googlespeedlimit.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googlespeedlimit
info:
name: Google Speed Limit API Test
author: zzeitlin
severity: info
tags: api,google,speed,limit
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://roads.googleapis.com/v1/speedLimits?path=38.75807927603043,-9.03741754643809&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

21
apis/googlestaticmaps.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-googlestaticmaps
info:
name: Google Static Maps API Test
author: zzeitlin
severity: info
tags: api,google,maps
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

21
apis/googlestreetview.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-googlestreetview
info:
name: Google Static Streetview API Test
author: zzeitlin
severity: info
tags: api,google,streetview
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

23
apis/googletextsearchplaces.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googletextsearchplaces
info:
name: Google Places Text Search API Test
author: zzeitlin
severity: info
tags: api,google,search,places,text
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/place/textsearch/json?query=restaurants+in+Sydney&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error_message'
negative: true

23
apis/googletimezone.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-googletimezone
info:
name: Google Timezone API Test
author: zzeitlin
severity: info
tags: api,google,timezone
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510&timestamp=1331161200&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'errorMessage'
negative: true

28
apis/heroku.yaml Normal file
View File

@ -0,0 +1,28 @@
id: api-heroku
info:
name: Heroku API Test
author: zzeitlin
reference: https://devcenter.heroku.com/articles/platform-api-quickstart#calling-the-api
severity: info
tags: api,heroku
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://api.heroku.com/apps"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: application/vnd.heroku+json; version=3
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 200
- 201
- 202
- 206
condition: or

25
apis/hubspot.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-hubspot
info:
name: HubSpot API Test
author: zzeitlin
reference: https://legacydocs.hubspot.com/docs/methods/owners/get_owners
severity: info
tags: api,hubspot
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.hubapi.com/owners/v2/owners?hapikey={{token}}"
- "https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
words:
- 'error'
negative: true

22
apis/instagram.yaml Normal file
View File

@ -0,0 +1,22 @@
id: api-instagramgraph
info:
name: Instagram Graph API Test
author: zzeitlin
reference: https://developers.facebook.com/docs/instagram-api/getting-started
severity: info
tags: api,instagram,graph
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://graph.facebook.com/v8.0/me/accounts?access_token={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

24
apis/ipstack.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-ipstack
info:
name: IPStack API Test
author: zzeitlin
reference: https://ipstack.com/documentation
severity: info
tags: api,ipstack
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.ipstack.com/8.8.8.8?access_key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
negative: true
words:
- 'invalid_access_key'

25
apis/iterable.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-iterable
info:
name: Iterable API Test
author: zzeitlin
reference: https://api.iterable.com/api/docs
severity: info
tags: api,iterable
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.iterable.com/api/export/data.json?dataTypeName=emailSend&range=Today&onlyFields=List.empty"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Api_Key: "{{token}}"
matchers:
- type: word
part: body
negative: true
words:
- 'BadApiKey'

25
apis/jumpcloud.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-jumpcloud
info:
name: JumpCloud API Test
author: zzeitlin
reference: https://docs.jumpcloud.com/1.0/authentication-and-authorization/api-key
severity: info
tags: api,jumpcloud
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://console.jumpcloud.com/api/systems"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
X-Api-Key: "{{token}}"
matchers:
- type: word
part: body
negative: true
words:
- 'Unauthorized'

23
apis/lokalise.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-lokalise
info:
name: Lokalise API Test
author: zzeitlin
reference: https://app.lokalise.com/api2docs/curl/#resource-projects
severity: info
tags: api,lokalise
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.lokalise.com/api2/projects/"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
X-Api-Token: "{{token}}"
matchers:
- type: status
status:
- 200

24
apis/loqate.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-loqate
info:
name: Loqate API Test
author: zzeitlin
reference: https://www.loqate.com/resources/support/apis/Capture/Interactive/Find/1.1/
severity: info
tags: api,loqate
requests:
- method: GET
payloads:
token: token.txt
path:
- "api.addressy.com/Capture/Interactive/Find/v1.00/json3.ws?Key={{token}}&Countries=US,CA&Language=en&Limit=5&Text=BHAR"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: word
part: body
negative: true
words:
- 'Unknown key'

21
apis/mailchimp.yaml Normal file
View File

@ -0,0 +1,21 @@
id: api-mailchimp
info:
name: Mailchimp API Test
author: zzeitlin
reference: https://mailchimp.com/developer/transactional/docs/smtp-integration/#credentials-and-configuration
severity: info
tags: api,mailchimp
network:
- inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
read: 1024
payloads:
token: token.txt
host:
- "tls://smtp.mandrillapp.com:465"
matchers:
- type: word
words:
- "success"

23
apis/mailgun.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-mailgun
info:
name: Mailgun API Test
author: zzeitlin
reference: https://documentation.mailgun.com/en/latest/api-intro.html
severity: info
tags: api,mailgun
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.mailgun.net/v3/domains"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Basic {{base64('api:' + token)}}
matchers:
- type: status
status:
- 200

23
apis/mapbox.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-mapbox
info:
name: Mapbox API Test
author: zzeitlin
reference: https://docs.mapbox.com/api/search/geocoding/
severity: info
tags: api,mapbox
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 401
negative: true

27
apis/nerdgraph.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-nerdgraph
info:
name: New Relic NerdGraph API Test
author: zzeitlin
reference: https://docs.newrelic.com/docs/apis/nerdgraph/get-started/introduction-new-relic-nerdgraph/
severity: info
tags: api,newrelic,nerdgraph
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://api.newrelic.com/graphql"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/json
API-Key: "{{token}}"
body: "{ \"query\": \"{ requestContext { userId apiKey }}\" }"
matchers:
- type: word
part: body
negative: true
words:
- 'errors'

25
apis/npm.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-npm
info:
name: NPM API Test
author: zzeitlin
reference: https://docs.npmjs.com/creating-and-viewing-access-tokens
severity: info
tags: api,node,npm,package,manager
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://registry.npmjs.org/-/whoami"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 401
- 403
negative: true

22
apis/openweather.yaml Normal file
View File

@ -0,0 +1,22 @@
id: api-openweather
info:
name: OpenWeather API Test
author: zzeitlin
reference: https://openweathermap.org/current
severity: info
tags: api,weather,openweather
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.openweathermap.org/data/2.5/weather?q=Chicago&appid={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 200

25
apis/pagerduty.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-pagerduty
info:
name: Pagerduty API Test
author: zzeitlin
reference: https://developer.pagerduty.com/api-reference
severity: info
tags: api,pagerduty
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.pagerduty.com/schedules"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: application/vnd.pagerduty+json;version=2
Authorization: Token token={{token}}
matchers:
- type: status
status:
- 401
negative: true

27
apis/pendo.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-pendo
info:
name: Pendo API Test
author: zzeitlin
reference: https://help.pendo.io/resources/support-library/api/index.html
severity: info
tags: api,pendo
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://app.pendo.io/api/v1/feature"
- "https://app.pendo.io/api/v1/metadata/schema/account"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/json
X-Pendo-Integration-Key: "{{token}}"
matchers:
- type: status
status:
- 403
negative: true

25
apis/pivotaltracker.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-pivotaltracker
info:
name: PivotalTracker API Test
author: zzeitlin
reference: https://www.pivotaltracker.com/help/api
severity: info
tags: api,pivotaltracker
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.pivotaltracker.com/services/v5/me"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
X-TrackerToken: "{{token}}"
matchers:
- type: word
part: body
negative: true
words:
- 'invalid_authentication'

24
apis/postmark.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-postmark
info:
name: PostMark API Test
author: zzeitlin
reference: https://postmarkapp.com/developer/api/overview
severity: info
tags: api,postmark
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.postmarkapp.com/stats/outbound"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: application/json
X-Postmark-Server-Token: "{{token}}"
matchers:
- type: status
status:
- 200

23
apis/sendgrid.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-sendgrid
info:
name: Sendgrid API Test
author: zzeitlin
reference: https://docs.sendgrid.com/for-developers/sending-email/getting-started-smtp
severity: info
tags: api,sendgrid
network:
- inputs:
- data: "ehlo\r\n"
read: 1024
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
read: 1024
payloads:
token: token.txt
host:
- "tls://smtp.sendgrid.net:465"
matchers:
- type: word
words:
- "Authentication successful"

25
apis/slack.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-slack
info:
name: Slack API Test
author: zzeitlin
reference: https://api.slack.com/methods/auth.test
severity: info
tags: api,slack
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://slack.com/api/auth.test"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- 'error'
negative: true

24
apis/sonarcloud.yaml Normal file
View File

@ -0,0 +1,24 @@
id: api-sonarcloud
info:
name: SonarCloud API Test
author: zzeitlin
reference: https://sonarcloud.io/web_api/api/authentication
severity: info
tags: api,sonarcloud
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://sonarcloud.io/api/authentication/validate"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Basic {{base64(token + ':')}}
matchers:
- type: word
part: body
words:
- 'true'

23
apis/spotify.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-spotify
info:
name: Spotify API Test
author: zzeitlin
reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/
severity: info
tags: api,spotify
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.spotify.com/v1/me"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: status
status:
- 200

27
apis/square.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-square
info:
name: Square API Test
author: zzeitlin
reference: https://developer.squareup.com/explorer/square/locations-api/list-locations
severity: info
tags: api,square
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://connect.squareup.com/v2/locations"
- "https://connect.squareupsandbox.com/v2/locations"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/json
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- 'errors'
negative: true

23
apis/stripe.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-stripe
info:
name: Stripe API Test
author: zzeitlin
reference: https://stripe.com/docs/api/authentication
severity: info
tags: api,stripe
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.stripe.com/v1/charges"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Basic {{base64(token + ':')}}
matchers:
- type: status
status:
- 200

26
apis/tinypng.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-tinypng
info:
name: TinyPNG API Test
author: zzeitlin
reference: https://tinypng.com/developers
severity: info
tags: api,tinypng
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://api.tinify.com/shrink"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Basic {{base64('api:' + token)}}
matchers:
- type: word
part: header
words:
- 'Compression-Count'
- 'compression-count'
condition: or

1
apis/token.txt Normal file
View File

@ -0,0 +1 @@
exampleAPItokenhere

25
apis/travisci.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-travisci
info:
name: Travis CI API Test
author: zzeitlin
reference: https://developer.travis-ci.com/
severity: info
tags: api,travis
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.travis-ci.com/user"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Travis-API-Version: 3
Authorization: token {{token}}
matchers:
- type: status
status:
- 403
negative: true

25
apis/twitter.yaml Normal file
View File

@ -0,0 +1,25 @@
id: api-twitter
info:
name: Twitter API Test
author: zzeitlin
refernce: https://developer.twitter.com/en/docs/twitter-api/api-reference-index
severity: info
tags: api,twitter
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Authorization: Bearer {{token}}
matchers:
- type: word
part: body
words:
- 'error'
negative: true

26
apis/visualstudio.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-visualstudio
info:
name: Visual Studio API Test
author: zzeitlin
reference: https://openapi.appcenter.ms/
severity: info
tags: api,visualstudio,microsoft
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://api.appcenter.ms/v0.1/apps"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/json
X-Api-Token: "{{token}}"
matchers:
- type: word
part: body
negative: true
words:
- 'Unauthorized'

23
apis/wakatime.yaml Normal file
View File

@ -0,0 +1,23 @@
id: api-wakatime
info:
name: WakaTime CI API Test
author: zzeitlin
reference: https://wakatime.com/developers
severity: info
tags: api,wakatime
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://wakatime.com/api/v1/users/current/projects/?api_key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers:
- type: status
status:
- 401
negative: true

26
apis/weglot.yaml Normal file
View File

@ -0,0 +1,26 @@
id: api-weglot
info:
name: WeGlot API Test
author: zzeitlin
reference: https://developers.weglot.com/api/reference
severity: info
tags: api,weglot
requests:
- method: POST
payloads:
token: token.txt
path:
- "https://api.weglot.com/translate?api_key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/json
body: "{\"l_from\":\"en\",\"l_to\":\"fr\",\"request_url\":\"https://www.website.com/\",\"words\":[{\"w\":\"This is a blue car\",\"t\":1},{\"w\":\"This is a black car\",\"t\":1}]}"
matchers:
- type: word
part: body
negative: true
words:
- 'does not exist'

27
apis/youtube.yaml Normal file
View File

@ -0,0 +1,27 @@
id: api-youtube
info:
name: YouTube API Test
author: zzeitlin
reference: https://developers.google.com/youtube/v3/docs
severity: info
tags: api,youtube
requests:
- method: GET
payloads:
token: token.txt
path:
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
redirects: false
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
matchers-condition: or
matchers:
- type: word
part: body
words:
- 'quotaExceeded'
- type: status
status:
- 200