In this presentation I’d show my methodology of looking at APIs from both black box and white box perspectives. White box meaning that I already have the Postman collection in hand so I already have all the endpoints. I’ll show how I test for technical bugs starting off by trying to leak information and error messages that discloses the framework by either changing HTTP methods, sending malformed JSON, putting it integers when it’s expecting a string, putting a string when it’s expecting an integer, etc. From there, I use what I’ve gotten and start testing for RCE, SQLi, XXE, stored XSS, etc. After the technical vulnerabilities, I’ll dig deeper into the IDORs and try to access stuff you’re not supposed to view/change, look for sensitive information leakage, etc. Sometimes it looks like there’s nothing interesting and juicy, however by combining a few endpoints together, you’re able to get something quite nice like a complete account takeover, or authentication bypass, unauthorized access, credentials and API key leaks, etc.
Jasmin Landry aka JR0ch17 works as a Penetration Tester for a small company based in Montreal, Canada. He started his career in IT as a Systems Administrator and decided to switch over to InfoSec after 4 years. Earlier in his career, he earned a wide range of certifications such as MCSA, CCNA, CCNA:Security, VCP, LPIC-1 and many more and after moving in a security role he has earned his OSCP, GWAPT, CEHand SSCP. He also spends roughly 15 hours a week doing bug bounty and currently ranks 54th on Bugcrowd.