Bug bounty Notes

api1;

api2;

Looking for BOLA (IDOR) in APIs? got 401/403 errors? AuthZ bypass tricks:

Wrap ID with an array {“id”:111} --> {“id”:[111]} JSON wrap {“id”:111} --> {“id”:{“id”:111}} Send ID twice URL?id=&id= Send wildcard {"user_id":"*"}

XSS payload? - E.g: {"name":"In<script>alert(21)</script>on}

Found a limit / page param? (e.g: /api/news?limit=100) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: limit=999999999)