[go: up one dir, main page]
Scribd
Upload
238 views12 pages

API Bug Hunting Guide

This document outlines an API bug hunting methodology. It discusses what APIs are and different API types. It then provides tips for finding APIs and suggests things to test like older API versions, IDORs, CORS misconfigurations, SQLi, broken access control, and accessible admin endpoints.

Uploaded by

Esa Firmansyah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
238 views12 pages

API Bug Hunting Guide

This document outlines an API bug hunting methodology. It discusses what APIs are and different API types. It then provides tips for finding APIs and suggests things to test like older API versions, IDORs, CORS misconfigurations, SQLi, broken access control, and accessible admin endpoints.

Uploaded by

Esa Firmansyah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

API Bug Hunting

Methodology

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – What is it?
• Application Programming Interface
• An API, or application programming
interface, is a set of protocols, routines,
and tools for building software
applications that specify how different
software components should interact
with each other.

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – Types
• SOAP / XML API
• RESTful API (JSON)
• GraphQL API

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API - General
• Typical API paths:
• /api/getuser
• /api/getshippingaddress

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – How to find them?
• Find API endpoints
• API Documentation
• Javascript files!
• Fuzzing / Scanning
• Test every feature on the web app
• search for /api/
• site: example.com inurl:api
• /api/
• api.example.com

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – Older versions
You will often see a version number on
API queries, such as /api/v2.0/execute or
even as a parameter, /api/getuser?v=2.0.
Try OLDER versions to see what's changed
in older versions!
/api/v1.0/
/api/getuser?v=1.0

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – IDORs
• IDORs
• Very common in APIs
• Look for ID, GUID, GUUID etc.
• Mobile Apps
• Web Apps
• Mobile and Web App code often
different! Different Vulnerabilities!

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – CORS
• Misconfigured CORS
• Provide Origin: yourdomain.com
in the request
• Look for
Access-Control-Allow-Origin:yourdomain.com
in the response.

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – SQLi
• SQL Injection
• See SQLi lesson
• Same issues found in APIs
• Sample payload: sleep(10)

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – Broken Access Control
Broken Access Control
POST /api/updateuser
{"bio":"example"}

replace JSON with


{"bio":"example","role":"admin"}

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
API – Admin endpoints
• Admin API endpoints accessible by
non-Admin
• /api/adminedit
• Test with low privileges

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com
Thank You!

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by FPPT.com


www.free-power-point-templates.com

You might also like