API

​BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE​
​good start of the month /api/something - 400 /api/something?filter=all - 200 found in a four-year-old private program with almost 1000 resolved reports. Bugs are still there, don't get intimidated by how many searched on that program.​
​https://medium.com/bugbountywriteup/31-tips-api-security-pentesting-480b5998b765​
​Login to program -> param miner enabled found jsonp callback on every api call, content type converted to javascript -> made a quick html to receive the function callback -> steal account generated api keys and secrets -> fastest p1/p2 of the week.​
If you are testing a JSON endpoint, always try to change one letter in the parameter names to make them invalid. I had quite a few cases where the server thrown back an error with all of the accepted parameters.
Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/[email protected] -> /api/users/..%[email protected] or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy! #bugbountyTip #bugbounty​@bugbounty_world #BtyPlz #infosec​​
​​
​When testing OpenID Connect or OAuth 2.0 and you got the client_id: Always consider/check the same authentication request as the UserInfo endpoint to retrieve PII information by adding the "claims" parameter! Developers so often use the same authentication URI as UserInfo
​Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". Try this trick... 1/3 #bugbountytips​
OSINT / Recon
Cross Site Request Forgery (CSRF)
Last modified 11mo ago