Bug Bounty - GitBook
前往频道在 Telegram
7 425
订阅者
-124 小时
+177 天
+16030 天
帖子存档
7 425
Find patterns in API route naming to discover new endpoints
If you see an endpoint that exposes a resource in typical fashion such as:
GET /api/albums/<album_id>/photos/<photo_id>
Think about what other directories and endpoints there are likely to be in the API. Tools such as Burp Suite Intruder or FFUF are great here when combined with API-specific wordlists. If regular API wordlists are not finding anything, then consider using a tool like CeWL which will generate custom wordlists for individual applications. Sometimes there will be endpoints that the web app itself rarely hits, but you can send your own requests to them if you find one. These can be gold mines! In the above example, you could try looking for:
GET /api/posts/<post_id>/comment/…
GET /api/users/<user_id>/details/…
We can also provide alternative values for each section and test to see if they exist. For example, version 1 of the API may have the appropriate access controls in place, but perhaps version 2 is not fully rolled out yet. You may find that version 2 of the API is still accessible if you make calls directly to it and that it lacks the access controls as it is not finished.
/service/v1/users/<user_id>
Where:
service: application context
v1: version
users: resource
<user_id>: parameter
#IDOR
@GitBook_s7 425
Object scope: Is it private or public?
Start by looking at what objects should be publicly readable versus the ones that should not be. For instance, in an online store, product details and reviews associated with each product may be readable by the general public using the following endpoints:
GET /api/products/<product_id>
GET /api/reviews/<product_id>
However, the buyer’s private profile information should not be:
GET /api/users/<user_id>/creditcard/details
GET /api/users/<user_id>/mailingaddress/details
If the API structure looks something like the above, then you can assume that the user-related information should only be visible to that user. That is one of the best places to start testing for high-impact IDORs.
Pro tip: Don’t forget to try create/update/delete operations on objects that are publicly readable but shouldn’t be writable. Can you PUT to /api/products and change a price?
#IDOR
@GitBook_s7 425
What is modern csrf ?
Modern CSRF refers to Cross-Site Request Forgery attacks adapted for today's web apps—think SPAs, JSON APIs, and relaxed SameSite cookie policies—rather than just old-school HTML forms.
The core idea stays the same: an attacker site tricks your authenticated browser into sending unintended requests to the target site using your valid session cookies. But modern twists exploit:
- API Endpoints: Forged fetch() or AJAX calls to REST/GraphQL routes (e.g., POST /api/transfer) instead of forms.
- SameSite=None Cookies: Common now for cross-site embeds; attackers use hidden iframes or postMessage to trigger actions.
- No-CSRF-Token APIs: Many backends skip tokens for "internal" AJAX, assuming browsers block cross-origin—but credentials: 'include' sneaks through.
- GET Mutations: Links/images prefetching state changes (add-to-cart, delete).
- OAuth/Modern Auth: Forged token refreshes or state param prediction.
In pentests, you spot it by finding mutator endpoints without proper tokens/origin checks, then PoC via a malicious page with fetch(..., {credentials: 'include'}). Mitigations like strict SameSite=Strict, CSRF tokens, or Origin header validation close it.
That's the gist—same attack surface, new vectors.
7 425
Google dorks that are useful for discovering less-targeted programs
https://github.com/sushiwushi/bug-bounty-dorks/blob/master/dorks.txt?source=post_page-----3af718bc89bc---------------------------------------
7 425
| ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄|
_/﹋\_
(҂`_´) Just
<,︻╦╤─ ҉ - - - - - GitBook
_/---\_
|___________|
\ (•◡•) /
\ /
----
| |
7 425
Find Files With SUID (Privilege Escalation)💀
find / -perm -4000 2>/dev/null
⚠️ SUID binaries can allow privilege escalation if misconfigured
🧠 Tip: Always check custom binaries, not just /bin ones.
#Pentesting #Linux
7 425
Find Files With SUID (Privilege Escalation)💀
find / -perm -4000 2>/dev/null
⚠️ SUID binaries can allow privilege escalation if misconfigured
🧠 Tip: Always check custom binaries, not just /bin ones.
#Linux #Pentesting #HacklidoTips
现已上线!2025 年 Telegram 研究 — 年度关键洞察 
