Bug bounty Notes
Looking for BOLA (IDOR) in APIs? got 401/403 errors? AuthZ bypass tricks:
Wrap ID with an array {“id”:111} --> {“id”:[111]} JSON wrap {“id”:111} --> {“id”:{“id”:111}} Send ID twice URL?id=&id= Send wildcard {"user_id":"*"}
XSS payload? - E.g: {"name":"In<script>alert(21)</script>on}
Found a limit / page param? (e.g: /api/news?limit=100) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: limit=999999999)