To welcome Blackhat & Defcon conferences, we published a daily tip on Bug Bounty & AppSec during the month of July 2021.
We started this project because we wanted to help developers, security engineers, and pentesters learn about AppSec and API pentesting.
We realize it’s not easy to find resources in these fields, so this is only one project among many others yet to come :)
31 API tips — chronological order, raw format
You can find a compiled list of all the tips in a GitHub repository:
GitHub - Traceableai/31-days-of-pentesting: 31 Tips for pentesters & security engineers
Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of…
31 API tips + categories & statistics
I created a detailed spreadsheet including statistics (# of likes/retweets) and separated the tips into the following categories:
Authorization (6) | Authentication (3) | CSRF (1) | Detailed Errors (2) | File Upload (1) | Injection (5) | Path Manipulation (2) | Reconnaissance (5) | XXE (2) | IDK (3) | Mental Health (1) |
You can use filters and find what are the tips that gained the most traction:
The Best Tip for Bug Bounty Hunters
The best tip I can give you as a pentester:
Bug bounty hunting is a stressful job. If you find yourself getting overwhelmed after not finding vulns, remind yourself that some apps are just more secure than others. Apply mindfulness to your daily routine and meditate between RCEs 🧘♂️