In this video I go over the Top 10 API Bugs published by the OWASP API Security project. Although published for the blue team/security teams there's some great info for bug bounty hunters! So let's break it down, what are the bugs, where can we find them and how do we exploit them.
Did you know this episode was sponsored by Intigriti? Sign up with my link http://go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
This episode is a companion to last week's video, hopefully you spend some time this week doing some recon, collecting some endpoints, now I'm going to show you how to exploit them :D! Also check out my demo where I show you these bugs in action, which is going to be live streamed later today! If you are watching this in the future, it'll be on my channel.
Do you want to support me? Why not buy me a coffee? https://ko-fi.com/insiderphd
Got questions? I have answers, Tweet at me https://twitter.com/InsiderPhD
Further Reading:
- OWASP API Top 10: https://owasp.org/www-project-api-security/
- OWASP API Top 10 Explained: https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
- Some possible misconfigurations: https://apisecurity.io/encyclopedia/content/owasp/api7-security-misconfiguration.htm
- Misconfiguration - CORS: https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/
- Misconfiguration CSRF: https://youtu.be/ULvf6N8AL2A