Bad API, HAPI Hackers!

Explore a comprehensive methodology for testing APIs from both black box and white box perspectives in this 24-minute conference talk by jr0ch17 at LevelUp 0x03. Dive into techniques for uncovering technical vulnerabilities, including information leakage, error message disclosure, and framework identification. Learn how to test for Remote Code Execution (RCE), SQL Injection (SQLi), XML External Entity (XXE), and stored Cross-Site Scripting (XSS). Discover strategies for identifying Insecure Direct Object References (IDORs), sensitive information leakage, and how to combine endpoints to achieve high-impact vulnerabilities such as account takeovers and authentication bypasses. Gain insights into information gathering, API key handling, automation, file uploads, and privilege escalation. Follow along with real-world examples and learn how to leverage tools like Postman for effective API testing.