[go: up one dir, main page]
Scribd
Upload
366 views12 pages

API Bug Hunting Methodology Guide

This document outlines an API bug hunting methodology. It discusses what APIs are and different API types. It then provides tips for finding APIs and suggests things to test like older API versions, IDORs, CORS misconfigurations, SQLi, broken access control, and accessible admin endpoints.

Uploaded by

Esa Firmansyah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
366 views12 pages

API Bug Hunting Methodology Guide

This document outlines an API bug hunting methodology. It discusses what APIs are and different API types. It then provides tips for finding APIs and suggests things to test like older API versions, IDORs, CORS misconfigurations, SQLi, broken access control, and accessible admin endpoints.

Uploaded by

Esa Firmansyah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

API Bug Hunting

Methodology

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by [Link]


[Link]
API – What is it?
• Application Programming Interface
• An API, or application programming
interface, is a set of protocols, routines,
and tools for building software
applications that specify how different
software components should interact
with each other.

This presentation uses a free template provided by [Link]


[Link]
API – Types
• SOAP / XML API
• RESTful API (JSON)
• GraphQL API

This presentation uses a free template provided by [Link]


[Link]
API - General
• Typical API paths:
• /api/getuser
• /api/getshippingaddress

This presentation uses a free template provided by [Link]


[Link]
API – How to find them?
• Find API endpoints
• API Documentation
• Javascript files!
• Fuzzing / Scanning
• Test every feature on the web app
• search for /api/
• site: [Link] inurl:api
• /api/
• [Link]

This presentation uses a free template provided by [Link]


[Link]
API – Older versions
You will often see a version number on
API queries, such as /api/v2.0/execute or
even as a parameter, /api/getuser?v=2.0.
Try OLDER versions to see what's changed
in older versions!
/api/v1.0/
/api/getuser?v=1.0

This presentation uses a free template provided by [Link]


[Link]
API – IDORs
• IDORs
• Very common in APIs
• Look for ID, GUID, GUUID etc.
• Mobile Apps
• Web Apps
• Mobile and Web App code often
different! Different Vulnerabilities!

This presentation uses a free template provided by [Link]


[Link]
API – CORS
• Misconfigured CORS
• Provide Origin: [Link]
in the request
• Look for
Access-Control-Allow-Origin:[Link]
in the response.

This presentation uses a free template provided by [Link]


[Link]
API – SQLi
• SQL Injection
• See SQLi lesson
• Same issues found in APIs
• Sample payload: sleep(10)

This presentation uses a free template provided by [Link]


[Link]
API – Broken Access Control
Broken Access Control
POST /api/updateuser
{"bio":"example"}

replace JSON with


{"bio":"example","role":"admin"}

This presentation uses a free template provided by [Link]


[Link]
API – Admin endpoints
• Admin API endpoints accessible by
non-Admin
• /api/adminedit
• Test with low privileges

This presentation uses a free template provided by [Link]


[Link]
Thank You!

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by [Link]


[Link]

You might also like