API Hacktics: Unveiling Vulnerabilities in Modern Web APIs

Hi, I’m Akash Ghosh (myselfakash20), my friend I want to share a recent hunting of mine about API vulnerabilities.

It was a Saturday afternoon when I decided to delve back into bug hunting. This time, I wasn’t focusing on typical web applications or frontend exploits but instead setting my sights on something more elusive: APIs. The rise of microservices and serverless architectures has made APIs the backbone of modern applications. As a bug bounty hunter, this represented a fertile ground filled with lesser known but impactful vulnerabilities.

The Target: A Fintech API

After spending hours researching potential targets, I chose a well-known fintech startup. Their platform was sleek and their bug bounty program seemed promising, with generous payouts and an explicit call for API-based vulnerabilities. I knew this was going to be an interesting journey, especially since the company’s documentation hinted at several public and private APIs that powered their web and mobile applications.

Armed with Burp Suite, Postman, and my trusty Kali Linux WSL, I started reconnaissance.

Step 1: Mapping the API

I began by passively gathering information. Using the browser’s Developer Tools, I monitored…