As I was progressing along my API hacking learning path, OAuth 2.0 kept coming back as something I would have to get my head around at some point. Recently, I was testing an API in the scope of a Vulnerability Disclosure Program on Bugcrowd and OAuth was the authorization mechanism the API was using....
What is BOLA – Broken Object Level Authorization?
Broken Object Level Authorization vulnerabilities are known to be the most common flaws you will run into when testing APIs. BOLA held the top spot in the original 2019 edition of OWASP’s API Security Top 10 list. And it is still the number one vulnerability listed in the recently published OWASP API Security Top...
ParaBank walkthrough
So do you want to hack a bank with me? I knew you would… 😉 Let me introduce you to ParaBank, a deliberately vulnerable web application and API, developed by Parasoft, a vendor of automated testing tools. ParaBank is a pseudo online banking app that I recently came across thanks to Bas Dijskstra, who...
Discover API endpoints with Feroxbuster
If you’ve been following this blog, you know my go-to fuzzing tool has long been FFUF. But if FFUF does a great job fuzzing GET parameters, user passwords or 2FA codes, I have found that Feroxbuster does a better job uncovering hidden API endpoints. To give a bit of context, what we are looking...
c{api}tal walkthrough
Here is a walkthrough of c{api}tal, a deliberately vulnerable web app and API built by the team at Checkmarx, an application security testing specialist. It was first publicly demonstrated at DEF CON 30 in August 2022, where it was used as the basis for a CTF contest (see the full story here). During that...
Proxy Postman into Burp Suite
Here is a quick and easy tip on how to get the two most useful API hacking tools to work together: Postman and Burp Suite. Suppose you have a list of API endpoints stored in a collection in Postman. Each of these endpoints has an http method, a URL, a list of request headers...
vAPI walkthrough
This is a full walkthrough of the Vulnerable Adversely Programmed Interface (vAPI), a deliberately vulnerable web application that you can install locally to practice your API hacking skills. vAPI follows the OWASP API Security Top 10 2019 list of vulnerabilities and gives you one task for each of the 10 listed categories plus three...
DVGA walkthrough
This is a full walkthrough of the Damn Vulnerable GraphQL Application (DVGA), a deliberately vulnerable app that you can use to test your GraphQL API hacking skills. You will find a list of vulnerabilities in DVGA’s main interface, on the Solutions page. With every vulnerability, there is a button that displays a very short...
Getting started with regex
Regular expressions (or regex) offer a way to look into a text file, a form, or a command line output and locate strings that match a specific pattern. This allows you to extract emails, phone numbers, keys that match a given structure, etc. You can think of regex as a search function on steroids....
Basic or extended regex?
Regular expressions (regex) come in several flavours. The two main ones you will come across are: – Basic Regular Expressions (BRE) – Extended Regular Expressions (ERE) From a practical standpoint, the main difference between the two lies in the way they handle special characters. These characters perform a special task or give a certain...