bounty-apilisted

# Bug bounty API testing ## 1. Discover the API ```bash # Mobile app reverse → APK / IPA → look for endpoints # JS bundle inspection katana -u https://target.com -jc -silent | grep -E "/api/|/v1/|/graphql" LinkFinder -i https://target.com/app.js -o cli # Common paths ffuf -w api-paths.txt -u https://target.com/FUZZ -mc 200,401,403 # /api, /api/v1, /v1, /graphql, /rest, /rpc, /swagger.json, /openapi.json, # /api-docs, /redoc, /docs, /.well-known/ # Schema endpoints (huge if found) curl https://target.com/swagger.json curl https://target.com/openapi.json curl -X POST https://target.com/graphql -d '{"query":"{__schema{types{name}}}"}' ``` If you find a swagger/openapi/graphql introspection — that IS the attack surface map. Use `kiterunner` to brute API routes if not. ## 2. OWASP API Top 10 — checklist per endpoint ### API1: Broken Object Level Authorization (BOLA) For every endpoint with an ID: ```bash # Login as user A. Get user B's resource. curl -H "Authorization: Bearer $A_TOKEN" https://api/users/$B_ID ``` Try: numeric→numeric swap, UUID enumeration via Wayback/JS, encoded ID decoding. ### API2: Broken Authentication - Missing / weak JWT verification - Token reuse after logout - Refresh-token abuse - Hardcoded API keys in mobile bundles ### API3: Broken Object Property Level (Mass Assignment + Excessive Data Exposure) Mass assignment: ```bash # Sign-up sends: {"email": "...", "password": "..."} # Try: {"email": "...", "password": "...", "is_admin": true, "rol