API-Security-Tips?
Old version of API tend to be more vulnerable
Saw a call to api/v3/login? Check api/v1/login exists as well It might be more vulnerable
Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: /api/mobile/login | /api/v3/login | /api/magic_link; etc..
Find and test all of them for AuthN problems.
SQL Injections used to be extremely common 5-10 years ago, and you could break almost every company?
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.
https://inonst.medium.com/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL?
Developers sometimes use "Kernel#open" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)
Found SSRF? use it for:
Internal port scanning
Leverage cloud services(like 169.254.169.254)
Use http://webhook.site
to reveal IP Address & HTTP Library
Download a very large file (Layer 7 DoS)
Reflective SSRF? disclose local mgmt consoles
Mass Assignment is a real thing.
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.
A company exposes an API for developers?
This is not the same API which is used by mobile / web application.
Always test them separately.
Don't assume they implement the same security mechanisms.
Pentest for REST API?
Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.
Pentest for APIs?
Trying to find BOLA (IDOR) vulnerabilities?
IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.
The API uses Authorization header?
Forget about CSRF! If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.
Cyber Security Search Engines for Researchers:
1. Dehashed 2. SecurityTrails 3. DorkSearch 4. ExploitDB 5. FoFa
Meta(Facebook) BugBounty-Writeups
https://github.com/jaiswalakshansh/Facebook-BugBounty-Writeups
TGA Weekly Newsletter [10/26/22] — Cybersecurity Awareness Month
https://medium.com/the-gray-area/tga-weekly-newsletter-10-26-22-6b49b28e038d?source=rss——cybersecurity-5&utm_source=dlvr.it&utm_medium=twitter
I have two successful article suggestions that you can benefit from on the Bug Bounty topic❗️? I definitely suggest adding it to your bookmark
https://www.infosecmatter.com/bug-bounty-tips-1/
https://www.infosecmatter.com/bug-bounty-tips-2-jun-30/
Full Company Building Takeover
https://infosecwriteups.com/company-building-takeover-10a422385390
CVE-2022-41343 – RCE via Phar Deserialisation (Dompdf)
https://tantosec.com/blog/cve-2022-41343/
干货不啰嗦,觉得好看请点赞分享~谢谢
原文始发于微信公众号(Bug Bounty Tips):Bug Bounty Tips(2022-10-28)