HackingHub

I was recently hunting for IDOR in a web app, but couldn't find IDs anywhere. The app just used session tokens. Eventually I found it, the "unsibscribe" link! 3rd party and microservices often process data using a raw database ID. It pays to sign up to newsletters!

Obviously a SQLi vuln. 💉 But what does your payload look like? What's your process from here?

This will search the indexed Postman pages. If the docs exist, look for Authorization: Bearer, x-api-key, or client_secret. You will frequently find live production tokens hardcoded in the example requests. Use different search engines to have reliable results.

Postman’s "Publish Document" feature defaults to keeping environment variables if they are saved in the active scope.  These get indexed by Google. ✅Try dorking: site:documenter.getpostman.com "targetapp[.]com"

You're mapping the main API of your target, but hit a wall due to authentication. You’re thinking of brute-forcing the API. But what if a dev published the API docs for a contractor and forgot to remove the Authorization headers or environment variables? 👇🧵

That’s the magic of trailing slash. 🪄 Want to practice your hacking techniques on real-world scenarios? Totally FREE! 👇 hhub.io/eSLRYyLUEV

What may have happened: The security rule protected /api/v1/users strictly, but the controller still accepted /api/v1/users/. The request reached the same controller through a path the security rule did not cover correctly.

Are you testing a Java Spring Boot app that uses RBAC to protect API endpoints? Spring Security may use AntPathRequestMatcher for access rules. If the rules are written too strictly like locking down /api/v1/users but not /api/v1/users/ an authorization mismatch can happen 👇🧵

The depth of your assumptions and the persistence of your efforts determine your skill ceiling 🕶️

Don't get stuck in the "massive subdomain" trap 👇

"Where do I start with Bug Bounty? Where do I actually sign up and register?" It’s the most frequent question we receive from the community. Here is the answer👇

If you're a bug bounty hunter or you want to become one, watch this. Here are 3 tips from @nahamsec on what you should be doing right now 👇

Practice MORE hacking techniques on our Free Hubs 👇  hhub.io/eSLRYyLUEV

The gateway may see this request under your authorized path and allow it. The backend then normalizes the traversal and routes to the victim’s directory. This only works if there’s a normalization mismatch between layers. That’s a broken access control. ⛓️‍💥

API gateway path normalization abuse. Gateways and backend APIs may normalize URL paths (like .. ; %2f) differently. For example, a gateway might evaluate the raw path, while the origin server decodes it (%2f → /) and resolves it, changing the final route.

Join our Regex for Hackers course and level up your pattern recognition now 👇 hhub.io/Regex

Let's be honest: the cat's version has more character. Literally 🕶️.