API

• BugBountyTip: If you playing with API ENDPOINT always try to send INVALID CONTENT TYPE end-up by getting hidden endpoints in RESPONSE

• good start of the month /api/something - 400 /api/something?filter=all - 200 found in a four-year-old private program with almost 1000 resolved reports. Bugs are still there, don't get intimidated by how many searched on that program.

• https://medium.com/bugbountywriteup/31-tips-api-security-pentesting-480b5998b765

• Login to program -> param miner enabled found jsonp callback on every api call, content type converted to javascript -> made a quick html to receive the function callback -> steal account generated api keys and secrets -> fastest p1/p2 of the week.

• If you are testing a JSON endpoint, always try to change one letter in the parameter names to make them invalid. I had quite a few cases where the server thrown back an error with all of the accepted parameters.

• Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user@email.com -> /api/users/..%2Fuser@email.com or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy! #bugbountyTip #bugbounty@bugbounty_world #BtyPlz #infosec

• When testing OpenID Connect or OAuth 2.0 and you got the client_id: Always consider/check the same authentication request as the UserInfo endpoint to retrieve PII information by adding the "claims" parameter! Developers so often use the same authentication URI as UserInfo

• Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". Try this trick... 1/3 #bugbountytips