Swagger Jacker

A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.

#repo
https://github.com/BishopFox/sj.git

#install
git clone https://github.com/BishopFox/sj.git
cd sj
go build .
cp sj /usr/local/bin
sj -h

#Usage
cat allurls.txt | sort -u | grep '/v1' > api-endpoints.txt
cat allurls.txt | sort -u | grep '/v2' >> api-endpoints.txt

cat api-endpoints.txt| sort -u | cut -d " " -f 4 | xargs -I{}  /usr/local/bin/sj automate -u {} 

cat api-endpoints.txt| sort -u | cut -d " " -f 4 | xargs -I{}  /usr/local/bin/sj automate -u {} -H "Authorization: LEAKEDCREDS" 

cat api-endpoints.txt| sort -u | cut -d " " -f 4 | xargs -I{}  /usr/local/bin/sj prepare -u {} | tee -a output.txt

cat api-endpoints.txt| sort -u | cut -d " " -f 4 | xargs -I{}  /usr/local/bin/sj endpoints -u {} | tee -a output.txt

#single endpoint

sj automate -u https://editor-mbtportal.de.daimlertruck.com/swagger/docs/v1 -q

sj brute -u https://editor-mbtportal.de.daimlertruck.com/swagger/docs/v1 -q  #bruteforcing

PreviousAPI pentesting NextGoogle Dorks

Last updated 4 months ago