ru
Feedback
Bug Bounty - GitBook

Bug Bounty - GitBook

Открыть в Telegram
7 497
Подписчики
+524 часа
+577 дней
+19730 день
Архив постов
8Best #firefox addons for #Hacking -HackBar -Cookies Manager+ -User-Agent Switcher -Tamper Data -FoxyProxy Standard -Wappalyzer: -HttpRequester -RESTClient: -Tampermonkey -XSS Me -SQL Inject Me -iMacros -FirePHP

🔗 Webhooks online http://GitBook_s.t.me A selection of useful services for testing HTTP requests 🔗webhook.link 🔗webhook.site 🔗 webhook-test.com 🔗 webhook.cool 🔗webhookrelay Example: curl -X POST https://gitbook-s.webhook.cool -H "Content-Type: application/json" -d '{"hello": "world", "is_true": true}' #webhook #http #web

🔗 Webhooks online A selection of useful services for testing HTTP requests 🔗webhook.link 🔗webhook.site 🔗 webhook-test.com 🔗 webhook.cool 🔗webhookrelay Example: curl -X POST https://gitbook-s.webhook.cool -H "Content-Type: application/json" -d '{"hello": "world", "is_true": true}' @GitBook_s #webhook #http #web

What is bug bounty methodology? your unique approach to a target(step-by-step process). GitBook_s

به شدت به xmind های باگ های یاشار نیاز دارم کسی داره آیا ؟

Hi guys I have a question Who knows the difference between brute force and spray ? Answer in direct

Find patterns in API route naming to discover new endpoints If you see an endpoint that exposes a resource in typical fashion such as:
GET /api/albums/<album_id>/photos/<photo_id> 
Think about what other directories and endpoints there are likely to be in the API. Tools such as Burp Suite Intruder or FFUF are great here when combined with API-specific wordlists. If regular API wordlists are not finding anything, then consider using a tool like CeWL which will generate custom wordlists for individual applications. Sometimes there will be endpoints that the web app itself rarely hits, but you can send your own requests to them if you find one. These can be gold mines! In the above example, you could try looking for:
GET /api/posts/<post_id>/comment/…
GET /api/users/<user_id>/details/… 
We can also provide alternative values for each section and test to see if they exist. For example, version 1 of the API may have the appropriate access controls in place, but perhaps version 2 is not fully rolled out yet. You may find that version 2 of the API is still accessible if you make calls directly to it and that it lacks the access controls as it is not finished.
/service/v1/users/<user_id> 
Where:
service: application context
v1: version
users: resource
<user_id>: parameter
#IDOR @GitBook_s

Object scope: Is it private or public? Start by looking at what objects should be publicly readable versus the ones that should not be. For instance, in an online store, product details and reviews associated with each product may be readable by the general public using the following endpoints:
GET /api/products/<product_id>
GET /api/reviews/<product_id> 
However, the buyer’s private profile information should not be:
GET /api/users/<user_id>/creditcard/details
GET /api/users/<user_id>/mailingaddress/details 
If the API structure looks something like the above, then you can assume that the user-related information should only be visible to that user. That is one of the best places to start testing for high-impact IDORs. Pro tip: Don’t forget to try create/update/delete operations on objects that are publicly readable but shouldn’t be writable. Can you PUT to /api/products and change a price? #IDOR @GitBook_s

I try 5 time to upload this

Books_t.me_gitbook_s (5).zip127.32 MB

join similar channel's 😍
join similar channel's 😍