search

REST API WriteUps

Web

  1. breaking-parse-logic-gain-access-to-Nginx-API-read-write-upstreamsarrow-up-right

  2. Information disclosure via API misconfigurationarrow-up-right

  3. API Misconfiguration which leads to unauthorized access to ServiceDesk ticketsarrow-up-right

  4. Secret Key Exposure in API Config Directoryarrow-up-right

  5. Let’s know How I have explored the buried secrets in the Xamarin applicationarrow-up-right

  6. Exploiting Application-Level Profile Semantics (APLS)arrow-up-right

  7. API based IDOR to leaking Private IP addresses of 6000 businessesarrow-up-right

  8. Exploiting API with AuthTokenarrow-up-right

  9. JS is l0ve ❤️ $5K for Rest API Key. by Shivam Kamboj Dattana Mediumarrow-up-right

  10. How An API Misconfiguration Can Lead To Your Internal Company Dataarrow-up-right

  11. https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.htmlarrow-up-right

  12. API secret key Leakage leads to disclosure of Employee’s Informationarrow-up-right

  13. Bug Bounty: Broken API Authorizationarrow-up-right

  14. Privilege Escalation using an API endpointarrow-up-right

  15. Full Account Takeover via Changing Email And Password of any User through API Parametersarrow-up-right

  16. Parameter Pollution issue in API resulting in $XXXarrow-up-right

  17. Web Cache Deception to API endpoint attack using cached token headerarrow-up-right

  18. How Misconfigured API leak user private information?arrow-up-right

  19. Abusing internal API to achieve IDOR in New Relicarrow-up-right

  20. Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal informationarrow-up-right

  21. Fabric.io API permission apocalypse – Privilege Escalationsarrow-up-right

  22. [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through the internal_api endpointarrow-up-right

  23. IDOR via internal_api “users” endpointarrow-up-right

  24. Restricted users can view all account invoices, payment method details, PII of the account owner through zoura_api endpointsarrow-up-right

  25. IDOR- Activate Mopub on different organizations- steal API token- Fabric.ioarrow-up-right

  26. flash content type sniff vulnerability in api.slack.com, resolvedarrow-up-right

  27. User guessing/enumeration at https://app.c2fo.com/api/password-reset, resolvedarrow-up-right

Mobile

  1. https://abss.me/posts/fcm-takeover/arrow-up-right

  2. https://web.archive.org/web/20210519175048/https://blog.dixitaditya.com/bypassing-google-maps-api-key-restrictions/arrow-up-right

  3. https://web.archive.org/web/20210412151532/https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.htmlarrow-up-right

  4. Hacking SMS API Service Provider of a Company Android App Static Security Analysis Bug Bounty POCarrow-up-right

Resources:

  1. http://h1.nobbd.de/arrow-up-right

  2. https://pentester.land/list-of-bug-bounty-writeups.htmlarrow-up-right

  3. https://hackerone.com/hacktivity?querystring=apiarrow-up-right

  4. https://raw.githubusercontent.com/besioo/hackerone/main/reports.csvarrow-up-right

PreviousRead WriteupsNextWeb Vulnerabilities WriteUps

Last updated