Profile picture
, 15 tweets, 3 min read Read on Twitter
Red Teamers know: we have to keep RTFM-ing, especially in the API-driven world. The APIs docs will give you far more access than you might imagine. 1/n
Look for the words “soon to be deprecated” and “not recommended,” especially if these API endpoints or authentication approaches were once defaults. 2/n
Look for default authorizations (roles, capabilities,...) - even when these seemingly aren’t being used, they may still be available. 3/n
Fingerprint what tool or library deployed the environment/cluster/application. Read its APIs and tutorials. The most popular tutorials create a kind of second/third/... set of default configuration. 4/n
If something you’ve seen, read and/or tried before isn’t working, RTFM and search the web: did the API change, is there a header required for what you’re doing that wasn’t needed before, is your authentication token still fresh? 5/n
Can you script your API calls so they freshen their own token/session/fingerprint inline with the request? 6/n
Is this easier with another tool or language/library? 7/n
Do you need to evade detection by limiting/paging/cursoring the output so your API calls look like standard tools? 8/n
Might two heads be better than one? (Or n+1 better than n?) Who can you ask about this? 9/n
Can you talk to anyone at the API provider or one if it’s most popular consumers? 10/n
Have you checked for blogs, conference talks, and not-yet-famous tools? Even if you can’t bring tools (limited network access, need to “live off the land” for stealth, can’t install an interpreter/compile for this platform), you can answer questions by reading tool source. 11/n
Is it time to script, so you can loop over more things/all the things, save intermediate results and search those later without having to make more API calls? 12/n
In these days of quick free cloud credit, as well as Vagrant, Ansible, Terraform, etc, can you test your API calls and scripts against your own sample platform before you try them against your red team client? 13/n
Can you construct or even test your API calls using an online tool, particularly one that’s built into the API’s documentation site? 14/n
Meta-post: Have you asked your community to collaborate with you on your blog post? @dinodaizovi @IanColdwater @bradgeesaman @3nc0d3r @dmay3r @faithanalog @cj_cullen @mrgcastle 0/n
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jay Beale
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!