I just found an unbelievable number of unauthorized API endpoints using this 1 liner.
katana -u $url -hl -nos -jc -silent -aff -kf all,robotstxt,sitemapxml -c 150 -fs fqdn |subjs | python3 /opt/JSA/jsa.py |goverview probe -N -c 500 |sort -u -t';' -k2,14 |cut -d ';' -f1
☃️OWASP API Security 2023 Checklist☃️
In this checklist read on different scenarios to test APIs such as
➡️Broken authentication
➡️Server side request forgery
➡️Improper asset management
and much more...
#bugbounty#cybersecurity#infosec
I wrote a blog post regarding the technical details of CVE-2022-31700. It's an interesting case study of attacking custom Java Bean Validators (JSR 380) for RCE: https://t.co/UUAh4bVtf8
The original advisory can be found here: https://t.co/XmIKxAgPJT