Security Analyst, Security Researcher, Back-end developer and a Life-Long Learner Experience Worked with new start-ups and programs under Freelance programs over Development as well as under Security teams. Pursuing B.Tech in Cybersecurity and Digital Forensics from VIT Bhopal University. My Achievements Recently found a vulnerability at Department of Defence, Government of India. Helped to secure companies such as Dell, Canva, e-goi, seek.com and many more. 01 02 03
person should know about it. 2) Types of API One should Focus On 3) OWASP Top 10 API Vulnerabilities 4) Approach to find API Flaws 5) End-point discussions 6) Things to learn for getting started as an API Penetration Tester 7) Dealing with Duplicates and self- motivation Topics
sends it to DB and response back in some seconds. Optmization of application has been very well improved by API. Application Programming Interface Application Programming Interface is a intermediary that works with Web-Application and makes it possible to send and recieve requests from indistinguishable devices. Integration with different IT Applications Client-based applications that are made are being sincerely upgraded using API's, thus improving programs. Integration has been made possible with the use of API's. Escalation of Reach and Personalization Even now, kids can create about different web- applications/android application and run the services that are being provided by API vendors such as Google. 01 02 03
boost to numerous security loopholes, and are now ready for basic security loophole repurcussions. But with new advancements, come the disadvantages. HCL BREACH 2019 DOMINO'S BREACH 2021 ACCENTURE BREACH 2021 NEXT BREACH ??
used API, Public API are available openly to be used by people. Some vendors include Google, Microsoft, IBM Partner API Partner API is used with integration over different projects, such as AWS, Apple, Twitter and many more. Internal API Internal API are made and mainatained within an organization. Composite API These API are integrated and are quite set within an application in the most desired manner. This is quite a paradigm to use multiple different API of same caliber within an application 1) REST API's 2) SOAP API's 3) RFC API's
Broken Object Level Authorization Excessive Data Exposure Lack of Resources and Rate Limiting Good Findings OWASP Top 10 API Vulnerabilities Insufficient Logging & Monitoring Security Misconfiguration Improper Assets Management Mass Assignment
first API Flaw..!!!!! Inspecting the scope (RDP/VDP) and starting Recon phase through Google Passive One can use scanners to list out vulnerabilities that are being generally found, and neglect those vulnerabilities in the process. If one finds a good catch, proceed, else leave. Active Use places such as Github, Exploit-DB, SHODAN, CVE and NIST Exploit Writing your own reports and keeping it for future references should be a healthy practice. Read reports of other Security Researcher and frame in your words, rather then copying After-Effects
Tester Learn Tools such as Postman Tools, and set it with respect to Burpsuite during debug and requests management Learning Technologies The Key of API Exploitation is Reconnaissance. Recon as much as possible, list down your findings and then gets started with exploitation part. Recon is Life..!!! Get to know about Start, Mid and End-points of the findings. Once you there, 40 % of work is Recon is done. Get Known of Points Use of Fuzzers will always reduce your time of finding flaws. Dirbuster, dirsearch, dirb, Manual Tools are always contributive in this field. Fuzzers are Love Once you are done with Good Flaws, Move towards great flaws such as Broken Authentication, Assets Findings and Sensitive Token Leakage to Chaining Vulnerabilities. Find Critical Flaws Try to Find Flaws that are either mentioned under RDP/VDP or Work over those vulnerabilities that are generally found, Such as Injection, PII, Sensitive Key/Token Leakage Find General Flaws First
API Penetration Testing Kontra, Portswigger Academy are the best place to learn practically, with visualizing future goals. Learn Postman Tool and Burpsuite to make your work easier and faster. These books are great to get started. These books helps good, if you are a reader.
AT A TIME Once You leave expectations and focus on other vulnerabilities, it helps you more, than waiting for replies of places of submissions. Learn one vulnerability and find that vulnerabilities. Set a goal of finding and making yourself perfect under a particular set of vulnerabilities 2) THINK CREATIVELY, FIND FLAWS AND CHAIN FOR MORE IMPACT Sincerely speaking, it is not easy to find a flaw. Developers are now generally working quite harder to create good codes. Finding flaws is quite difficult. But, low-impact vulnerabilities are always not teated well, rather are left. Find that vulnerability and Chain it with quite big vulnerability. 3) DON'T THINK AND COMPARE YOUR FINDINGS WITH OTHERS, LEARN FROM DUPES AND BE PATIENT. LEARN THROUGH WRITEUPS Never compare your findings with other security researcher that post on social media platforms. Ignore them. Learn from Duplicates and try to be patient. Sometimes, duplicates are more rewarding then expected. Believe over your findings..!!!!! Dealing with Duplicate Submissions 4) LEARN TO ASK. EITHER FROM GOOGLE, SHODAN OR WITHIN COMMUNITIES. AND READ AS MUCH WRITEUPS AS POSSIBLE...!!!! Start asking about your findings if you have no idea about exploitation. Learn Dorking from Github Repositories over Google, Github and discuss within communities. Slack communities are present where people discuss about there findings and get replies over it.
you wish to get connected. then get connected. I'm quite slow to respond, but i do respond. Just don't ask question like "Can we hack NASA using HTML" or "How to hack my GF/BF Social Media Account..???"