parameter's value

URL object

PDFs

Docs some web apps put the

user's attachments names
User identifiers Downloadable resources
like their IDs in the application
Invoices e.g: 12.pdf

etc

National IDs
Some web apps requires uploading
personal docs to register on them, and
Personal docs Passports the user should have access to his docs,
and these docs some times also named
with it's owner ID.
etc

Transaction objects / Identifiers

Checking every function having
as a value in parameters

as an object in the URL

Usernames
certificates
In addition to the types mentioned in the
User identifiers section, in usernames also
Downloadable resources licenses
these docs might have usernames as a
names for the files. e,g: cyberguy_10.csv
medical documents

etc {{based on application's logic}}

Some times the user's username being

hashed and used as a value for
Hashed sessions / cookies authorization, you can exploit this by
guessing the application's usernames and
hash them
Serialized sessions / cookies

Authenticators of the application Authorization headers / cookies Check for:

Encoded sessions / cookies

Some cookies are encrypted with

symmetric encryption, so if you were able
Encrypted cookies to achieve the private key by some way
you will be able to decrypt the cookie and
Some developers defines the user's
change it's value
state when accessing a resource based on
server's responses, for example.
{
"authorized":true, Manipulate the privilege or user's state from
resource accessing behaviours Manipulation
"uID": 122 the server's responses
}

OTP stored in some endpoint

Leaks
Generated by the API using some method
Pre-authentication
OTP Some applications decided the identity of
the user through the server's responses,
Changing the values from true to false we can manipulate the JSON response for
Manipulation or it's logical representatives. e.g: {"OTP": 1} example and the dynamic generated
and number 1 here refers to true. content will be loaded for the injected
email.

2FA Process to access

specific user content
While accessing particular sensitive / critical
Remote authorization Manipulation resource in an application, some application
Broken object-level access Application's responses Dynamic application responses requires remote authorization to proceed.

Some panels requires

OTP Endpoints etc
remote authorization from
mobile apps for example, thus
Login Endpoints email we can manipulate the response
to bypass into the user's
content.
CVV / PIN username
e.g:
{
id "authorization_done":true,
Internal resource spoofing Lack of resources and rate limiting Authenticated identifier's manipulate "resource_id": 120
}
National Security Number
Referer manipulation Bypasses

Phone number
IP Range spoofing confidential / personal info
Passport Number
etc
etc

e.g: /api/v1/users/getToken/12 With the applications generates QR

Numeric identifiers
e.g: e.g: /api/v1/users/getToken/13 Codes for authentication / authorization
/api/v1/admin/delete?resource_id= actions, we can exploit these misconfigs
API Methods Pre-generation attacks Spoofable Identifiers Gradually identifiers
/api/v1/admin/update?resource_id= before generation to decode the QR Code
/api/v1/admin/post?resource_id= after generation then, take other users
1. e.g: /api/v1/users/getToken/username12
Alphanumeric identifiers access_tokens for example.
2. e.g /api/v1/users/getToken/username13
Some applications the behaviors of
deleting, adding or updating info's is
DELETE Changing value in back-end will be used to
normal, so these considered as
vulnerabilities based on your application generate QR Code later to retrieve data.
Administrative functions e.g:
logic. PATCH
QR Code Attacks {
HTTP Verbs
"username":"someUser",
PUT "user_id":12,
"action":"getToken"
etc [based on your case] }

etc Changing value in back-end will be used to

generate QR Code later to perform action.
Dynamic attacks Real-time applications Response based e.g:
{
Anonymous user access to functions
"username":"someUser",
requires authenticated users
"user_id":12,
"action":"loginAuthorize"
}
Anonymous user access to functions Improper authorizations
retrieves authenticated users data etc

etc etc

Broken function level authorization

When accessing some endpoints under e.g:
Captcha reuse
the 'admin' endpoint, some times can /api/v1/users/info?uID=1
retrieve sensitive info /api/v1/admin/users/info?uID=1
Weak captcha
Verbs & Endpoints manipulations
Here some applications blocks the
Captcha Attacks Captcha implementation
integers identifiers except the current e.g:
userID, but if you put something like: 'all' /api/v1/users/?id=myID without using
can retrieve the whole application's users /api/v1/users/all
info's
Unauthorized access to could be used to
Exploiting ordinary functions trying to e.g: captcha generation endpoint autofill captcha
access internal resources via LFD for /api/v1/Ajax/resource?url=/end/point
example /api/v1/Ajax/resource?url=../..//etc/passwd
Insufficient cooldown timing allows brute-forcing attacks
Turning the normal resource grabber into e.g:
SSRF vulnerable machine made you able /api/v1/Ajax/resource?url=/end/point Leaked in public compromised databases
to perform SSRF attacks and it's contexts /api/v1/Ajax/resource?url=http://127.0.0.1
Exploit endpoints for possible internal access Credentials stuffing
OSINT based credentials on the target
e.g:
/api/v1/Ajax/PUT?url=/user/profile/pic Execute functions into internal resources
/api/v1/Ajax/PUT?url=http://127.0.0.1/shell.ext admin:admin

API Pentesting
etc Weak credentials administrator:administrator
Weak authentication security
design High Privilege defaults

env Mindmap root:toor

test
while trying to Default credentials
etc

guest:guest
example
publicly accessible productions
attack
test:test
branches
Low / custom privilege defaults
user:user
old releases
Use of non-production resources which in
most cases not protected to attack the Improper assets management etc
etc production resources

Sending data in GET Request / URLs

heapdump

Default endpoints which automatically Weak encryption mechanism

dump e.g: springboot
enables with some frameworks Insecure transmission of
sensitive data
etc Weak encryption keys

Sending data in plain text

Price manipulation

Amount manipulation Manipulate server's responses to bypass the

Business attack Response manipulation authentication mechanism in the dynamic
applications.
Currency manipulation

etc
Weak API keys

Deletion of resources
API Keys attacks Use of leaked API Keys
Broken User Authentication
Privilege escalation
Manipulating resources Privilege attack
e.g: {"is_admin":true} Improper API rotating
Mass Assignment
etc
Executing high privilege functions with low
e.g: {"verified":true} email verification Insecure implementation of privilege access token.
authentication logic
Bypass restrections
In some applications this allows the user
to change it's password without e.g: {"default_pass":true} default password enable Access token attacks Improper access token validations Access other user's content / data with the
restrictions / versification attacker's access token.

etc
etc

Weak secret
SQL Injection

Lack of JWT verification (any token will be

NoSQL Injection
accepted)
Token based attacks

LDAP Injection JWT attacks

Weak algorithm e.g: [none] algorithm
Injection
OS Command Injection
Signature bypass e.g: kid injection + SQL Injection

XML Injection etc.

etc
non-expiring JWTs, access tokens and
Timing attacks
sessions

CORS misconfiguration
The authentication systems vary from
application to another, so there is no
Attacking various authentication systems
e.g: ASP.NET stack trace Stack Traces standard method to break them, it based on
your creative ability :)

Outdated systems
Security misconfiguration
Profiling systems e.g: /api/clients/show?id=13
Exposed storage or server management
e.g: S3 Buckets
panels Here the (BOLA) will be a part of the
attack to make the application's return
Information retrieval systems e.g: /api/orders/show?order_id=202
sensitive info [which isn't required but
etc the application retrieve it]

Comments endpoint
some applications returns more than the
required data, thus the attacker can
Excessive Data Exposure Messages endpoint access sensitive info's like CVV, location,
Communicative systems National Security Numbers ...etc.
Notifications endpoint

etc

Logging endpoints

etc