REST API WriteUps

Web

  1. breaking-parse-logic-gain-access-to-Nginx-API-read-write-upstreams

  2. Information disclosure via API misconfiguration

  3. API Misconfiguration which leads to unauthorized access to ServiceDesk tickets

  4. Secret Key Exposure in API Config Directory

  5. Let’s know How I have explored the buried secrets in the Xamarin application

  6. Exploiting Application-Level Profile Semantics (APLS)

  7. API based IDOR to leaking Private IP addresses of 6000 businesses

  8. Exploiting API with AuthToken

  9. JS is l0ve ❤️ $5K for Rest API Key. by Shivam Kamboj Dattana Medium

  10. How An API Misconfiguration Can Lead To Your Internal Company Data

  11. https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html

  12. API secret key Leakage leads to disclosure of Employee’s Information

  13. Bug Bounty: Broken API Authorization

  14. Privilege Escalation using an API endpoint

  15. Full Account Takeover via Changing Email And Password of any User through API Parameters

  16. Parameter Pollution issue in API resulting in $XXX

  17. Web Cache Deception to API endpoint attack using cached token header

  18. How Misconfigured API leak user private information?

  19. Abusing internal API to achieve IDOR in New Relic

  20. Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information

  21. Fabric.io API permission apocalypse – Privilege Escalations

  22. [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through the internal_api endpoint

  23. IDOR via internal_api “users” endpoint

  24. Restricted users can view all account invoices, payment method details, PII of the account owner through zoura_api endpoints

  25. IDOR- Activate Mopub on different organizations- steal API token- Fabric.io

  26. flash content type sniff vulnerability in api.slack.com, resolved

  27. User guessing/enumeration at https://app.c2fo.com/api/password-reset, resolved

Mobile

  1. https://abss.me/posts/fcm-takeover/

  2. https://web.archive.org/web/20210519175048/https://blog.dixitaditya.com/bypassing-google-maps-api-key-restrictions/

  3. https://web.archive.org/web/20210412151532/https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html

  4. Hacking SMS API Service Provider of a Company Android App Static Security Analysis Bug Bounty POC

Resources:

  1. http://h1.nobbd.de/

  2. https://pentester.land/list-of-bug-bounty-writeups.html

  3. https://hackerone.com/hacktivity?querystring=api

  4. https://raw.githubusercontent.com/besioo/hackerone/main/reports.csv

PreviousRead WriteupsNextWeb Vulnerabilities WriteUps

Last updated