OK, so this is really a ‘note to self’ article that I’m keeping here for future reference. But this will hopefully also help you understand the difference between the query parameters and path variables in Postman and how to use either of these two options. I recently got stuck in an API challenge on...
Using AI to find API bugs
Using AI is a great way to accelerate the discovery of vulnerabilities in an API. There are now many different ways of integrating AI into your game. One of my favorite is using Postman’s Postbot feature. Postbot writes full test scripts from a simple AI prompt. Use this in conjunction with Postman’s collection runner...
Testing for SSRF in an API
Here is a quick and easy way to test if an API endpoint is vulnerable to a Server Side Request Forgery (SSRF) attack. To do this, we can use a website called webhook.site to simulate a payload. What is SSRF? We want to test for SSRF whenever we come across an API endpoint that...
What is OAuth 2.0?
As I was progressing along my API hacking learning path, OAuth 2.0 kept coming back as something I would have to get my head around at some point. Recently, I was testing an API in the scope of a Vulnerability Disclosure Program on Bugcrowd and OAuth was the authorization mechanism the API was using....
What is BOLA – Broken Object Level Authorization?
Broken Object Level Authorization vulnerabilities are known to be the most common flaws you will run into when testing APIs. BOLA held the top spot in the original 2019 edition of OWASP’s API Security Top 10 list. And it is still the number one vulnerability listed in the recently published OWASP API Security Top...
Discover API endpoints with Feroxbuster
If you’ve been following this blog, you know my go-to fuzzing tool has long been FFUF. But if FFUF does a great job fuzzing GET parameters, user passwords or 2FA codes, I have found that Feroxbuster does a better job uncovering hidden API endpoints. To give a bit of context, what we are looking...
Proxy Postman into Burp Suite
Here is a quick and easy tip on how to get the two most useful API hacking tools to work together: Postman and Burp Suite. Suppose you have a list of API endpoints stored in a collection in Postman. Each of these endpoints has an http method, a URL, a list of request headers...
Using an Android emulator for API hacking
Mobile apps are great targets for anyone interested in hacking APIs. Mobile apps will often connect to a supporting web application through an API. By intercepting and reviewing the traffic with a tool like Burp Suite, you can get a pretty good understanding of how the API works and, if you’re lucky, spot some...
Hacking a JWT – JSON Web Token (part 2)
This is the third article in a three part series on JSON Web Tokens, that breaks down as follows: What is a JWT – JSON Web Token? This article gives you all the basics to understand how JSON Web Tokens work. Hacking JWT – JSON Web Token (part 1) This article explains how to...
Hacking a JWT – JSON Web Token (part 1)
This is the second article in a three part series on JSON Web Tokens. The first article outlined what a JWT is, what its components are and how you can read and edit its content (if you haven’t read this first article, I strongly suggest you take a moment to do it now before...