# API * [BugBountyTip: If you playing with `API ENDPOINT` always try to send `INVALID CONTENT TYPE` end-up by getting hidden endpoints in `RESPONSE`](https://twitter.com/XSaadAhmedX/status/1145052664046206976) * [good start of the month /api/something - 400 /api/something?filter=all - 200 found in a four-year-old private program with almost 1000 resolved reports. Bugs are still there, don't get intimidated by how many searched on that program.](https://twitter.com/bogdantcaciuc7/status/1234667685343948803) * * [Login to program -> param miner enabled found jsonp callback on every api call, content type converted to javascript -> made a quick html to receive the function callback -> steal account generated api keys and secrets -> fastest p1/p2 of the week.](https://twitter.com/MasterSEC_AR/status/1262969981098229761) * If you are testing a JSON endpoint, always try to change one letter in the parameter names to make them invalid. I had quite a few cases where the server thrown back an error with all of the accepted parameters. * Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user\@email.com -> /api/users/..%<2Fuser@email.com> or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy! [#bugbountyTip](https://twitter.com/hashtag/bugbountyTip?src=hashtag_click) [#bugbounty](https://twitter.com/hashtag/bugbounty?src=hashtag_click)[@bugbounty\_world](https://twitter.com/bugbounty_world) [#BtyPlz](https://twitter.com/hashtag/BtyPlz?src=hashtag_click) [#infosec](https://twitter.com/hashtag/infosec?src=hashtag_click)[![Image](https://pbs.twimg.com/media/D7Rvs9TWsAAq9Un?format=jpg\&name=medium)](https://twitter.com/akita_zen/status/1131652331471347712/photo/1) * [When testing OpenID Connect or OAuth 2.0 and you got the client\_id: Always consider/check the same authentication request as the UserInfo endpoint to retrieve PII information by adding the "claims" parameter! Developers so often use the same authentication URI as UserInf](https://twitter.com/ApiDiary/status/1426218707756457995?s=20)o ![](/files/-Mj7q1fNgwBQj_TAP7fR) * [Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". Try this trick... 1/3 #bugbountytips](https://twitter.com/jub0bs/status/1432025054108430346?s=20) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.