Finding Your First Bug: Finding Bugs Using APIs

We're looking at APIs: what they are, how to recognise them, what kind of bugs you find in them and how to test for the specific bugs. APIs can be great sources of bugs, especially for beginners so it's super important to know how to test them. We even cover a little bit of recon knowledge. It's a long one for a video without a practical BUT APIs are such good sources of bugs I thought it was important!

Hi everyone, welcome to this video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.

Correction: At 5:02 I mistakenly say name is menu and value is curly braces. I mean to say the name is menu but the value is the following object, denoted by {} - Thank you niraj choubey on YT for pointing that out!

By popular demand, the links to the reports I use as examples.
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - https://hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - https://hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - https://hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - https://hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - https://hackerone.com/reports/192210

Видео Finding Your First Bug: Finding Bugs Using APIs канала InsiderPhD