Overview
Explore a comprehensive methodology for testing APIs from both black box and white box perspectives in this 24-minute conference talk by jr0ch17 at LevelUp 0x03. Dive into techniques for uncovering technical vulnerabilities, including information leakage, error message disclosure, and framework identification. Learn how to test for Remote Code Execution (RCE), SQL Injection (SQLi), XML External Entity (XXE), and stored Cross-Site Scripting (XSS). Discover strategies for identifying Insecure Direct Object References (IDORs), sensitive information leakage, and how to combine endpoints to achieve high-impact vulnerabilities such as account takeovers and authentication bypasses. Gain insights into information gathering, API key handling, automation, file uploads, and privilege escalation. Follow along with real-world examples and learn how to leverage tools like Postman for effective API testing.
Syllabus
Intro
Who am I
Methodology
Where do I start
Testing for API
Information Gathering
API Key
Automate
File uploads
Shawn Tweet
Example
SQL Injection
How I play
An example
Personal information
Testing
Privilege Escalation
I doors
Postman
Questions
Taught by
Bugcrowd