# Category Tweet Sub Tweet Total Retweets

Total Likes
Inon Likes
Inon Retweets
Traceable
Traceable
Likes Retweets
https://twitter.com/InonShkedy
Trying to find BOLA (IDOR) in APIs, got 401/403 errors?AuthZ bypass tricks:
* Wrap ID with an array {“id”:111} --> {“id”:[111]}
* JSON wrap {“id”:111} --> {“id”:{“id”:111}}
* Send ID twice URL?id=<LEGIT>&id=<VICTIM>
26 AuthZ * Send wildcard {"user_id":"*"} o 114 346 128 28 218 86 https://twitter.com/traceableai
Found SSRF? use it for:
- Internal port scanning
- Leverage cloud services (like 169.254.169.254)
- Use webhook.site to reveal IP Address & HTTP Library
Injection - Download a very large file (Layer 7 DoS)
5 - Reflective SSRF? disclose local mgmt consoles 54 156 119 39 37 15 Raw Tips (Nicer Format):
https://github.com/smodnix/31-days-of-API-Security-Tips
Testing Ruby on Rails App & found a param that contains a URL?
Developers sometimes use "Kernel#open" to access URLs == Game Over. Learn more about the open func:
4 Injection Just send a pipe as the first character and then a shell command (Shell Injection by design)
https://apidock.com/ruby/Kernel/open 57 132 79 33 53 24
31 DoS OWASP Charmmander || Found a "limit" / "page"? (e.g: /api/news?limit=100) It might be
o vulnerable to Layer 7 DoS. Try to send a long value (e.g:
24 limit=999999999)
95 50 and see
3 what
45happens
21 :)
Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company using them?
BOLA (IDOR) is the new epidemic of API security. Learn More About BOLA:
3 AuthZ As a pentester, if you understand how exploit it, your glory is guaranteed. https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2
33 90 26 4 64 29
Use Mass Assignment to bypass security mechanisms.
For Example:"POST /api/rest_pass" requires old password."PUT /api/update_user" is vulnerable to mass assignment == can be used to update password without sending the old one (For CSRF)
13 Mass Assignment o 29 87 48 11 39 18
Testing for IDOR/BOLA?
Even if the ID is GUID/non-numeric value, always try to send a numeric value (for example:
Learn"/?user_id=111"
More About BOLA:
instead of "[email protected]")
12 AuthZ Sometimes there's support for both. https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2
28 79 44 14 35 14
28 Injection Pentest for .NET apps? saw a param containing file path/name? Developers sometimes
o use "Path.Combine(path_1,path_2)" to build full path.14
Path.Combine
73 has50
weird behavior:
8 23if param#2
6 is absolute path, then param#1 is ignored. - Leverage it to control the path -
Companies & developers tend to put more resources (including security) into the main APIs.
Always look for the most niche features that nobody uses to find interesting vulnerabilities.
19 Stuck "POST /api/profile/upload_christmas_voice_greeting" o 26 69 42 17 27 9
Mass Assignment is a real thing.
Modern environments encourage developers to use "mass assignment", without understanding the security implications.
During exploitation, don't guess object's properties, simply find a GET endpoint that returns all of them.
6 Mass Assignment<Mass Assignment Picture> https://pbs.twimg.com/media/ENncoR1WsAI-nXc?format=jpg&name=medium
o 33 68 50 19 18 14
The API uses Authorization header? Forget about CSRF!
11 CSRF If the authentication mechanism doesn't involve cookies, the API is protected against CSRF
o by design. 21 66 49 13 17 8
Found an "export to PDF" feature?
There's a good chance the developers use an external library to convert HTML-->PDF Learn
behindmore
the scenes.
about Export Injection:
25 Injection Try to inject HTML elements and cause "Export Injection". https://medium.com/@inonst/export-injection-2eebc4f17117
17 65 33 4 32 13
18 Stuck Which features you find that tend to be more vulnerable? I'll start: - Organization's useromanagement - Export to CSV/HTML/PDF - Custom views
20 of dashboards
59 26
- Sub user
10 creation&management
33 10 - Object sharing (photos, posts,etc)
XSS are no longer under the responsibility of the server.
APIs don't return HTML pages, but raw data (JSONs) instead.
If API returns XSS payload - {"name":"in<script>alert(21)</script>on"} - that's fine!
27 Injection The protection always need to be on the client side. o 19 57 40 11 17 8
Exploiting BFLA (Broken Function Level Authorization)?
Leverage the predictable nature of REST to find admin API endpoints! Sent a crafted API call and received an error from the API?
E.g: you saw the following API call `GET /api/v1/users/<id>` * Add a "content-length" header
10 AuthZ Give it a chance, and change to DELETE / POST to create/delete users. * Try different "content-type" values 26 56 31 12 25 14
Pentest for APIs?
Trying to find BOLA (IDOR) vulnerabilities?
9 AuthZ IDs in the HTTP bodies / headers tend to be more vulnerable than IDs in URLs. Try to focus
o on them first. 34 53 23 9 30 25
Older versions of APIs tend to be more vulnerable and they lack security protection.
Leverage the predictable nature of REST APIs to find old versions.
1 Stuck Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable.
o 18 52 15 0 37 18
APIs tend to leak PII by design.
BE engineers return full JSON objects and rely on FE engineers to filter out sensitive data.
22 Data Exposure Found a sensitive resource,as "receipt"? Find all the EPs that return it."/download_receipt""/export_receipt"etc..
o 14 43 36 9 7 5 Swapped
Got stuck during an API pentest? Expand your attack surface!
Remember: developers often disable security mechanisms in non-production environments (qa/staging/etc);
24 Stuck Leverage this fact to bypass authorization, authentication, rate limiting and input validation.
o 9 43 23 4 20 5 Swapped
Even if you use another web proxy, always use Burp in the background.
The guys in @port_swig are doing a really good job at helping you manage your pentest.
Learn more about the pros of Burp:
16 Tools Use the “tree view” (free version) feature to see all API endpoints you’ve accessed. https://medium.com/salt-security/what-moving-to-the-bay-area-taught-me-about-loving-my-pentesting-tools-97ddc78f8acf
8 39 27 5 12 3
Mobile Certificate Pinning?
Before you start reverse engineering & patching the app, check for both iOS & Android clients, and older versions of them.
17 Stuck There's a decent chance that the pinning isn't enabled in one of them. o 11 38 17 4 21 7
Got stuck during an API pentest? Expand the attack surface!
Use archive.com -find old versions of the web-app& explore new API endpoints.
21 Stuck Can't use the client? scan the .js files for strings that look like URLs(Some of them are o
API endpoints) 13 38 13 6 25 7
* Got stuck during an API pentest? Expand your attack surface! Remember: companies don’t always implement security mechanisms from day one && DevOps engineers don’t often deprecate old APIs.
30 Stuck If the API has mobile clients, download old versions of the APK file to explore old / legacy
Leverage
functionality
these and
factsdiscover
to find shadow
new APIAPI
endpoints.
endpoints that11
don’t implement
38 security
17 mechanism
6 21 (authorization,
5 input filtering & rate limiting)
A company exposes an API for developers?
This is not the same API which is used by mobile / web application.Always test them separately.
7 Stuck Don't assume they implement the same security mechanisms. o 10 37 25 1 12 9
 Never assume there’s only one way to authenticate to an API!
Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`;
Find and test all of them for AuthN problems.
2 AuthN o 35 36 2 21 34 14
Got stuck during an API pentest? Expand your attack surface! Find sub/sibling domains using VirusTotal & CenSys.
14 Stuck Some of these domains might expose the same APIs with different configuration/version.
o 13 35 17 6 18 7
Static resource==photo,video,..
Web Servers(IIS, Apache) treat static resources differently when it comes to authorization.
15 AuthZ Even if developers implemented decent authorization, there's a good chance you can access
o static resources of other users. 12 32 22 6 10 6
Testing authentication APIs?If you test in production, there's a good chance they have Example
anti brute-force
on Facebook
protection.
Breach (Found by @anand)
20 Stuck Anyhow, DevOps engineers tend to disable rate limiting in non-production environments. http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
Don't forget to test them :) 9 32 25 4 7 5
Pentest for REST API? Give it a chance, check if the API supports also SOAP.
8 Stuck Change the content-type to "application/xml", add simple XML in the request body, andosee how the API handles it. 13 28 11 2 17 11
Found a way to download arbitrary files from the web server?
Shift the test from black-box to white-box.Try to download the source code of the application (DLL files: use IL-spy, for compiled Java use Luyten)
23 Injection Read the code and find new issues! o 19 27 15 5 12 14
APIs expose the underlying implementation of the app.
Pentesters should leverage this fact to better understand users, roles, resources & correlations between them to find cool vulnerabilities & exploits.
29 Stuck Always be curious about the API responses. o 10 24 11 5 13 5

Total 754 2093 1114 319 979 435