API-Security-Tips
Old version of API tend to be more vulnerable
Saw a call to api/v3/login? Check api/v1/login exists as well It might be more vulnerable
π§΅1/10
#bugbounty #bugbountytips #cybersecurity
Old version of API tend to be more vulnerable
Saw a call to api/v3/login? Check api/v1/login exists as well It might be more vulnerable
π§΅1/10
#bugbounty #bugbountytips #cybersecurity
Never assume thereβs only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: /api/mobile/login | /api/v3/login | /api/magic_link; etc..
Find and test all of them for AuthN problems.
π§΅2/10
Find and test all of them for AuthN problems.
π§΅2/10
SQL Injections used to be extremely common 5-10 years ago, and you could break almost every company?
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.
@inonst/a-deep" target="_blank" rel="noopener" onclick="event.stopPropagation()">medium.comβ¦
π§΅3/10
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.
@inonst/a-deep" target="_blank" rel="noopener" onclick="event.stopPropagation()">medium.comβ¦
π§΅3/10
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL?
Developers sometimes use "Kernel#open" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)
π§΅4/10
Developers sometimes use "Kernel#open" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)
π§΅4/10
Found SSRF? use it for:
Internal port scanning
Leverage cloud services(like 169.254.169.254)
Use webhook.site to reveal IP Address & HTTP Library
Download a very large file (Layer 7 DoS)
Reflective SSRF? disclose local mgmt consoles
π§΅5/10
Internal port scanning
Leverage cloud services(like 169.254.169.254)
Use webhook.site to reveal IP Address & HTTP Library
Download a very large file (Layer 7 DoS)
Reflective SSRF? disclose local mgmt consoles
π§΅5/10
Mass Assignment is a real thing.
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.
π§΅6/10
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.
π§΅6/10
A company exposes an API for developers?
This is not the same API which is used by mobile / web application.
Always test them separately.
Don't assume they implement the same security mechanisms.
π§΅7/10
This is not the same API which is used by mobile / web application.
Always test them separately.
Don't assume they implement the same security mechanisms.
π§΅7/10
Pentest for REST API?
Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.
π§΅8/10
Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.
π§΅8/10
Pentest for APIs?
Trying to find BOLA (IDOR) vulnerabilities?
IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.
π§΅9/10
Trying to find BOLA (IDOR) vulnerabilities?
IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.
π§΅9/10
The API uses Authorization header?
Forget about CSRF! If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.
Thank you for Reading! β€
All credit Goes to @traceableai
π§΅10/10
Forget about CSRF! If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.
Thank you for Reading! β€
All credit Goes to @traceableai
π§΅10/10
Make sure to check our Blog for more contents ππ»
β’ hackerinthehouse.in Don't forget to put a Follow on @hackerinhouse :)
β’ hackerinthehouse.in Don't forget to put a Follow on @hackerinhouse :)
Loading suggestions...