ru
Feedback
Bug Bounty - GitBook

Bug Bounty - GitBook

Открыть в Telegram
7 436
Подписчики
-124 часа
+27 дней
+16630 день
Архив постов
bug bounty 🔞

Author: zarvan Language: Persian Telegram channel: @web_articles

A company exposes an API for developers? This is not the same API which is used by mobile / web application. Always test them separately. Don't assume they implement the same security mechanisms. #api @GitBook_s

Mass Assignment is a real thing. Modern frameworks encourage developers to use MA without understanding the security implicat
Mass Assignment is a real thing. Modern frameworks encourage developers to use MA without understanding the security implications. During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them. #api @GitBook_s

Found SSRF? use it for: Internal port scanning Leverage cloud services(like 169.254.169.254) Use http://webhook.site to reveal IP Address & HTTP Library Download a very large file (Layer 7 DoS) Reflective SSRF? disclose local mgmt consoles @GitBook_s

Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Learn more about the open function: https://apidock.com/ruby/Kernel/open #api @GitBook_s

Penetration Testing with Shellcode📚

دفعه دومش از دفعه اولش بدتر بود 😂️️

دفعه دومش از دفعه اولش بدتر بود 😂️️

Tnx all & Welcome 2 new members Congratulations channel is 4k

Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: /api/mobile/login | /api/v3/login | /api/magic_link; etc.. Find and test all of them for AuthN problems. #api @GitBook

Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to api/v3/login? Check if api/v1/login exists as well. It might be more vulnerable. #api @GitBook

Bug Bounty - GitBook - Статистика и аналитика Telegram-канала @gitbook_s