Day 22/#30DaysofAPIsecU I got 9/10 flag remain the SSRF , this really sharpen my brain about API testing and how to solve thing On to the next lab @commando_skiipz @KoredeSec @ce3nerd @akintunero @nacss_uniosun

Day21/#30Days I set up DVAPI today and started the CTF got 5/10 flags looking forward to remaining @commando_skiipz @ce3nerd @KoredeSec @nacss_uniosun @akintunero

Day 19/#30DaysofAPIsecU I tested for Mass Assignment and was able to increase my account value , freeze it and also privileged escalation from customer to admin privileged check below👇 @commando_skiipz @ce3nerd @akintunero @KoredeSec @ireteeh

Day 18 /#30DaysofAPIsecU while testing today a particular endpoint grab my attention "GET/api/v1/accounts" ,I decided to add "admin" into the path which return other user acc . I will use them tomorrow and see what I can do with it @commando_skiipz @akintunero @ce3nerd @KoredeSec

Day 17/#30DaysofAPIsecU I take a break yesterday , now I'm back practicing with what I have learnt last few days. I find 3 BOLA in OpenValut Bank . Below is how I find them 👇 @commando_skiipz @KoredeSec @nacss_uniosun @ce3nerd @ireteeh @elormkdaniel

Day 15/#30DaysofAPIsecU congratulation to me and my self I Just wrapped up my API pentesting on APIsecU Learned a lot about finding vulnerabilities, tightening security, and thinking like an attacker. On to the next challenge @commando_skiipz @KoredeSec @ce3nerd @akintunero

Day 14/#30daysofAPIsecU Tested for injection attack and crAPI is vulnerable ,, was able to inject the coupon code endpoint and got free coupon @commando_skiipz @KoredeSec @hAPI_hacker @ce3nerd @akintunero @nacss_uniosun

Day 13/#30DaysofAPIsecU Tested for SSRF on crAPI came out good , it was quite interesting . 2 more module and that is all @commando_skiipz @KoredeSec @akintunero @nacss_uniosun @hAPI_hacker @ce3nerd

Day12/#30DaysofAPIsecU while testing for Mass assignment today on crAPI,I discovered the endpoint has business logic vuln , which allows me to increase my account balance @commando_skiipz @nacss_uniosun @KoredeSec @akintunero @hAPI_hacker

Day 11/#30DaysofApisecU Light out , decided to watch some part of my YouTube video " Red team recon" by hackersploit hoping for a better tomorrow @commando_skiipz @KoredeSec @nacss_uniosun

Day10/#30DaysofAPIsecU Tested for BFLA(Broken Function Level Authorization ) Mr Test was able to delete Mrs Test's private video by changing the video ID b4 that admin endpoint was found and it's vulunrable @commando_skiipz @KoredeSec @nacss_uniosun @elormkdaniel

Day 9/#30daysofAPIsecU Tested and confirmed BOLA on the vehicle endpoint by using another vehicle UUID. Did not bother to change the token since it wan confirmed yesterday that it dosen't check for anything @commando_skiipz @KoredeSec @akintunero

Day8/#30daysofAPIsec I ran jwt_tool against crAPI's dashboard endpoint and discovered the JWT implementation is critically broken itaccepts invalid signatures, unsigned tokens (alg:none),forged JWKS, and SQL injection in the kid claim. Almost every major JWT attack returned 200