.png)
4 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
hello guys hope u all doing well
before we start always remember to pray to my dad
(الرجاء الدعاء لوالدي بالرحمة والمغفرة )
Today I’m gonna explain to you 2 bugs i found 2 month ago just by manipulating APIS
so what’s API?
“Application Programming Interface: A set of functions and procedures allowing the creation of applications that access the features or data of an operating system, application, or other service.”
now let’s dive into the bugs
the target has some roles one of them that the low level the low level member can’t have access to some templates info and also can’t have access to the dashboard members and their info
let’s start with the easy one
while trying to access the template no info appeared so opened my proxy (burp suite) and what the freak
a lot of api requests sent in the background and of course one of them the api request that retrieve the template info
now let’s dive about the second one the first was bit easy
there’s a search function in the application as a low level member tried to search for any letter it retrieved info about the customers but nothing for my team members
now i reviewed every single request sent by the api in background and found a request for the search operation
here’s the endpoint of the search sent in the background
GET /search?limit=25&offset=0&query=blabla&resource=customers
so what if changed the resource parameter to retrieve the team members
after some testing and navigating through the target found out the it accepts only 4 values one of them ‘users’ which refers to the team members
so i searched for the mail domain and changed resource parameter to users and all the info was disclosed in the response
hurrayyyyyyyyyyy
TIP :nowadays apis are mostly not configured properly ,a lot of developers to make it easy for them they make a lot of requests sent in the background which is not useful for application but harm and attackers can manipulating apis to do what they want so always look for every request sent in the background via the api and try to understand each request job
my social links
Bengali (Bangladesh) · 
English (United States) ·