-API Tip 21/30- #bugbountytip Understand business logic in order to find BL vulnerabilities! Look for videos/content explaining how to use tested system: - Youtube - Reddit - Pastebin - Twitter - PDF files stored under the system domain to find manuals (google hacking)

-API Tip 22/30- #bugbountytip Use "bulk import" to bypass input validation. Example: POST /add_contact?name=<script>alert(21)</script> Returns 400? (XSS Blocked 😞 ) Find a feature to upload contacts from file. (POST /import_contact_file) -- XSS Bypass 😇😇

-API Tip 23/30- #bugbountytips Look on Postman Collections (web.postman.co) to find hidden/forgotten APIs of the company you are testing. Use collections as documentation to understand better the business logic of the app (might contain comments, value samples, etc)

-API Tip 24/30- #bugbountytips BOPLA/"Excessive Data Exposure" exploitation: After several hours of pentest, use the @burp_suite search to look for PII in response. Also look for business related sensitive data (VIN for vehicle industry, etc)

-API Tip 26/30- #bugbountytip BOLA/IDOR: Look for IDs in cookies. If you remove cookies (except session ID/AuhtN cookie) from a specific API call, and API returns an error - good chance API fetches something based on cookie value. Might be a potential BOLA/IDOR

-API Tip 27/30- #bugbountytip Use "export" to find BOPLA/"Excessive Data Exposure" Example (facebook): GET /api/friends/212 Returns only public info about friend; But GET /api/export_friend_list?fields=* Returns a file with friends' PII you are not supposed to access

-API Tip 29/30- #bugbountytip Different API versions expose different vulnerabilities. Don't assume that `api/v1/` and `/api/v2` implement the same security mechanisms. Mechanisms that are often implementad differently across versions: - Rate Limiting - AuhtN - AuthZ

-API Tip 30/30- #BugBounty Feeling stuck but have to find a critical vulnerability? 1. Wake up early in the morning. 2. Meditate, do some exercise. 3. Turn off your phone, disconnect from the world for several hours, drink a coffee. 4. Dedicate yourself to the process :)

Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women Believe Israeli women #BelieveIsraeliWomen #MeToo_UNless_UR_a_Jew #MeToo #MeTooUnlessUrAJew

Join me in person @ Cincinnati/online! We'll talk about: 🔑Complex multi-step authorization breaches. 🤖Bots: how bad actors exploit the API economy for profit. 🔍Modern vs. Traditional: the shift away from traditional issues like injections, XSS, and XXE. meetup.com/api-security-m…

I noted this post x.com/bugoverfl0w/st… for easily reading in my understanding. 31 API Tips by Inon Shkedy #bugbountytips

One of my favorite disclosed API breaches, discovered by my colleague Eaton Z. I highly recommend reading it on your laptop to see how your cursor turns into a French fries container. eaton-works.com/2024/12/19/mcd…

📢 Today is the day! After about a year reverse engineering 4 different SSD controller brands, Xbox 360 HDD Maker is now available. For the first time, it is now possible to add an SSD to an unmodified, retail Xbox 360 console.

💥 2 TB internal drive mod for Bad Update users coming soon! 💥