Finding Your First Bug: Finding Bugs Using APIs
We're looking at APIs: what they are, how to recognise them, what kind of bugs you find in them and how to test for the specific bugs. APIs can be great sources of bugs, especially for beginners so it's super important to know how to test them. We even cover a little bit of recon knowledge. It's a long one for a video without a practical BUT APIs are such good sources of bugs I thought it was important!
Hi everyone, welcome to this video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
Correction: At 5:02 I mistakenly say name is menu and value is curly braces. I mean to say the name is menu but the value is the following object, denoted by {} - Thank you niraj choubey on YT for pointing that out!
By popular demand, the links to the reports I use as examples.
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - https://hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - https://hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - https://hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - https://hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - https://hackerone.com/reports/192210
Видео Finding Your First Bug: Finding Bugs Using APIs канала InsiderPhD
Hi everyone, welcome to this video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
Correction: At 5:02 I mistakenly say name is menu and value is curly braces. I mean to say the name is menu but the value is the following object, denoted by {} - Thank you niraj choubey on YT for pointing that out!
By popular demand, the links to the reports I use as examples.
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - https://hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - https://hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - https://hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - https://hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - https://hackerone.com/reports/192210
Видео Finding Your First Bug: Finding Bugs Using APIs канала InsiderPhD
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
How To Do Recon: API EnumerationLive API Hacking DemoUnderstand IELTS Reading in JUST 40 minutes!Finding Your First Bug: Getting Started on a Target (Part 1)How I made 1k in a day with IDORs! (10 Tips!)Every Type of XSS Attack, ExplainedTop 10 API Bugs (and Where to Find Them)Finding Your First Bug: Manual IDOR HuntingReal Bugs - API Information DisclosureCommon Opening Mistakes | Beginner Chess LessonAPI Security 101 by SadakoHow to Use Firefox Containers for Easy IDOR Hunting (With Demo!)HackerOne Hacker Interviews: Katie (InsiderPhD)How to Find Your First BugFinding Your First Bug: Business Logic ErrorsGetting Organised: Finding More Time in the DayHow to use ffuf - Hacker ToolboxBurp for Beginners: Introduction to BurpLow Competition Bug Hunting (What to Learn) - ft. #AndroidHackingMonth