Posts REST API WriteUps
Post
Cancel

REST API WriteUps

Posted Feb 1 2022-02-01T00:00:00+02:00 by Yasser Elsnbay

Web

  1. breaking-parse-logic-gain-access-to-Nginx-API-read-write-upstreams
  2. Information disclosure via API misconfiguration
  3. API Misconfiguration which leads to unauthorized access to ServiceDesk tickets
  4. Secret Key Exposure in API Config Directory
  5. Let’s know How I have explored the buried secrets in the Xamarin application
  6. Exploiting Application-Level Profile Semantics (APLS)
  7. API based IDOR to leaking Private IP addresses of 6000 businesses
  8. Exploiting API with AuthToken
  9. JS is l0ve ❤️ $5K for Rest API Key. by Shivam Kamboj Dattana Medium
  10. How An API Misconfiguration Can Lead To Your Internal Company Data
  11. https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html
  12. API secret key Leakage leads to disclosure of Employee’s Information
  13. Bug Bounty: Broken API Authorization
  14. Privilege Escalation using an API endpoint
  15. Full Account Takeover via Changing Email And Password of any User through API Parameters
  16. Parameter Pollution issue in API resulting in $XXX
  17. Web Cache Deception to API endpoint attack using cached token header
  18. How Misconfigured API leak user private information?
  19. Abusing internal API to achieve IDOR in New Relic
  20. Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information
  21. Fabric.io API permission apocalypse – Privilege Escalations
  22. [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through the internal_api endpoint
  23. IDOR via internal_api “users” endpoint
  24. Restricted users can view all account invoices, payment method details, PII of the account owner through zoura_api endpoints
  25. IDOR- Activate Mopub on different organizations- steal API token- Fabric.io
  26. flash content type sniff vulnerability in api.slack.com, resolved
  27. User guessing/enumeration at https://app.c2fo.com/api/password-reset, resolved

Mobile

  1. https://abss.me/posts/fcm-takeover/
  2. https://web.archive.org/web/20210519175048/https://blog.dixitaditya.com/bypassing-google-maps-api-key-restrictions/
  3. https://web.archive.org/web/20210412151532/https://blogs.ad3sh.com/2020/06/api-endpoint-leads-to-account-takeover.html
  4. Hacking SMS API Service Provider of a Company Android App Static Security Analysis Bug Bounty POC

Resources:

  1. http://h1.nobbd.de/
  2. https://pentester.land/list-of-bug-bounty-writeups.html
  3. https://hackerone.com/hacktivity?querystring=api
  4. https://raw.githubusercontent.com/besioo/hackerone/main/reports.csv
Writeups, REST-API
Writeups
This post is licensed under CC BY 4.0 by the author.

Contents

THM Advent of Cyber 3 (2021) NoSQL WriteUp

Cross Site Scripting | XSS