PROGRAMMER. MY WORKS MOSTLY INCLUDE AS A SECURITY ANALYST AND RESEARCHER APART FROM THAT IN MY FREE TIME I CODE. MY RECENT ACHIEVEMENTS INCLUDE FINDING CRITICAL BUGS AT CENTRAL INDUSTRIAL SECURITY FORCES , FOR WHICH I WILL BE GETTING AN AWARD FROM DEFENSE SECTOR FROM GOVERNMENT OF INDIA. APART FROM THAT, I HAVE SECURED CANVA, MASTERCARD, OLD-GAMES, ISC2, DELL AND OTHER COMPANIES
IN WEB- APPLICATION 2) TYPES OF API AND HOW THEY ARE IMPLEMENTED. 3) A DISCUSSION OVER OWASP TOP 10 API VULNERABILITIES 4) BUG-BOUNTY SECTION 1 : RECONNAISSANCE FOR API VULNERABILITIES. 5) BUG-BOUNTY SECTION 2 : FINDING YOUR FIRST API VULNERABILITY AND EXPLOITING THEM ETHICALLY 6) APPROACH TO API PENETRATION TESTING 7) DEALING WITH DIFFICULTIES AND DUPLICATES UNDER VDP AND RDP 8) CONCLUSION WITH STRONG MOTIVATION FOR NEW BUG-BOUNTY HUNTERS, PENTESTERS AND SECURITY RESEARCHER. TOPIC OF DISCUSSIONS
AN INTERMEDIARY THAT ALLOWS TO TALK TO EACH OTHER THE APPS WE USE SUCH AS FACEBOOOK, INSTAGRAM, TWITTER, WHATSAPP ETC ALL ARE WORKING ON API THE WORK OF API INCLUDES SENDING AND RECIEVING REQUESTS, PARAMETERIZING THE INPUTS AND INCREASING THE AFFECTED LEGITIMITY OF FUNCTIONALITY WITH RESPECT TO WEBSITE / WEB-APPLICATION
AUTHENTICATION EXCESSIVE DATA DISCLOSURE LACK OF RESOURCES AND RATE LIMITING BROKEN FUNCTION LEVEL AUTHORIZATION MASS ASSIGNMENT SECURITY MISCONFIGURATION INJECTION IMPROPER ASSETS MANAGEMENT INSUFFICIENT LOGGING AND MONITORING
USING PRIME-SCANNERS TO FILTER OUT MORE OF SCOPES RECON AT PLACES SUCH AS GITHUB, EXPLOIT-DB, CVE AND NIST REPORT RECONNAISSANCE passive passive passive active active active exploit exploit exploit after after after effects effects effects
TO BURPSUITE. 1) THE KEY TO API PENTESTING IS RECON. SO RECON ON END-POINTS 2) SELECT THE START, MID AND END-POINT OF THE GENERATED API REQUEST 3) USE OF FUZZERS MAKES WORK A LOT EASY, BUT NOT CONFIRMATORY (DIRBUSTER, DIRB, MANUAL TOOLS) 4) GENERAL FLAWS TO BE FOUND OUT :- SQL-INJECTION AND OTHER VARIOUS INJECTION ATTACKS, CROSS-SITE SCRIPTING, BOLA, SENSITIVE INFORMATION DISCLOSURE (PII, API-KEYS AS WELL AS SENSITIVE TOKEN) AND IMPROPER ASSETS MANAGEMENT. 5) YOUR BEST FRIEND IS GITHUB, EXPLOIT-DB, GOOGLE AND SHODAN. USE THEM WISELY BUG-BOUNTY SECTION : APPROACH TO LEARN API-PENETRATION TESTING
EXPECTATIONS ABOUT BOUNTY, MONETARY AWARDS OR SWAGS & LAY STRESS ON GETTING BUG TO BE EXPECTED. KEEP YOUR SYLLABUS MINIMUM. 2) ONE FLAW/BUG AT A TIME...!!!!!! 3) THINK CREATIVELY. YOUR CREATIVITY SHOULD BE DIFFERENT THEN OTHER FELLOW SECURITY RESEARCHER OR BUG-HUNTERS. 4) BE READY FOR BEST TO COME, AND PREPARE YOURSELF FOR WORST. 5) HAVE A READY TO LEARN MINDSET, THEN READY TO EARN 6) FINDING DUPE BUGS ARE MORE REWARDABLE SOMETIMES THEN GETTING BOUNTY THROUGH IT. 7) KNOW THE DIFFERENCE BETWEEN "RISK" AND "VULNERABILITY" 8) ACCEPT YOUR FAILURES AND LEARN FROM IT. 9) IF YOU DON'T KNOW, ASK. EITHER FROM GOOGLE OR FROM A FRIEND. AND COLLABORATE AND FIND BUGS IF YOU ARE COMFORTABLE. 10) READ WRITE-UPS EVERYDAY..!!!!!
infosecresearcher
oracle4engineer
kenjikondobai
amixedcolor
recruitengineers
kazzpapa3
chanyou0311
gumamon
syntasso
shigashiyama
takumiogawa
rasmusluckow
yeseniaperezcruz
lauravandoore
jonyablonski
hatefulcrawdad
colly
wjessup
cassininazir
jrom
addyosmani
bcantrill
danielanewman
