API

BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE

good start of the month /api/something - 400 /api/something?filter=all - 200 found in a four-year-old private program with almost 1000 resolved reports. Bugs are still there, don't get intimidated by how many searched on that program.

• https://medium.com/bugbountywriteup/31-tips-api-security-pentesting-480b5998b765

• Login to program -> param miner enabled found jsonp callback on every api call, content type converted to javascript -> made a quick html to receive the function callback -> steal account generated api keys and secrets -> fastest p1/p2 of the week.

• If you are testing a JSON endpoint, always try to change one letter in the parameter names to make them invalid. I had quite a few cases where the server thrown back an error with all of the accepted parameters.

• Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy! #bugbountyTip #bugbounty@bugbounty_world #BtyPlz #infosec

• When testing OpenID Connect or OAuth 2.0 and you got the client_id: Always consider/check the same authentication request as the UserInfo endpoint to retrieve PII information by adding the "claims" parameter! Developers so often use the same authentication URI as UserInfo

Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". Try this trick... 1/3 #bugbountytips