📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  1. Writeups
  2. Read Writeups

REST API WriteUps

PreviousRead WriteupsNextWeb Vulnerabilities WriteUps

Last updated 8 months ago

Web

Mobile

Resources:

✍️
https://abss.me/posts/fcm-takeover/
https://web.archive.org/web/20210519175048/https://blog.dixitaditya.com/bypassing-google-maps-api-key-restrictions/
https://web.archive.org/web/20210412151532/https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html
Hacking SMS API Service Provider of a Company Android App Static Security Analysis Bug Bounty POC
http://h1.nobbd.de/
https://pentester.land/list-of-bug-bounty-writeups.html
https://hackerone.com/hacktivity?querystring=api
https://raw.githubusercontent.com/besioo/hackerone/main/reports.csv
breaking-parse-logic-gain-access-to-Nginx-API-read-write-upstreams
Information disclosure via API misconfiguration
API Misconfiguration which leads to unauthorized access to ServiceDesk tickets
Secret Key Exposure in API Config Directory
Let’s know How I have explored the buried secrets in the Xamarin application
Exploiting Application-Level Profile Semantics (APLS)
API based IDOR to leaking Private IP addresses of 6000 businesses
Exploiting API with AuthToken
JS is l0ve ❤️ $5K for Rest API Key. by Shivam Kamboj Dattana Medium
How An API Misconfiguration Can Lead To Your Internal Company Data
https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html
API secret key Leakage leads to disclosure of Employee’s Information
Bug Bounty: Broken API Authorization
Privilege Escalation using an API endpoint
Full Account Takeover via Changing Email And Password of any User through API Parameters
Parameter Pollution issue in API resulting in $XXX
Web Cache Deception to API endpoint attack using cached token header
How Misconfigured API leak user private information?
Abusing internal API to achieve IDOR in New Relic
Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information
Fabric.io API permission apocalypse – Privilege Escalations
[NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through the internal_api endpoint
IDOR via internal_api “users” endpoint
Restricted users can view all account invoices, payment method details, PII of the account owner through zoura_api endpoints
IDOR- Activate Mopub on different organizations- steal API token- Fabric.io
flash content type sniff vulnerability in api.slack.com, resolved
User guessing/enumeration at https://app.c2fo.com/api/password-reset, resolved