Inon Shkedy

@InonShkedy

Love to learn, build and break things. Head of Security Research ; API Security Project Leader

San Francisco
Vrijeme pridruživanja: siječanj 2019.

Tweetovi

Blokirali ste korisnika/cu @InonShkedy

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @InonShkedy

  1. Prikvačeni tweet
    31. pro 2019.

    Starting tomorrow, we'll post a daily tip on API security & Pentesting. Follow me & , get unique tricks, learn how to break & protect APIs. Whoami? *API Security Leader *Head of Security Research @ *8+ years in AppSec;

    Poništi
  2. proslijedio/la je Tweet
    prije 8 sati

    Meet our expert of the day: will talk about and . And that's not all, he will alsogive a session about (the gold standard in AppSec)!

    Poništi
  3. proslijedio/la je Tweet
    prije 2 sata
    Odgovor korisnicima

    Happy to see active in . I feel safer knowing that.

    Poništi
  4. proslijedio/la je Tweet
    1. velj

    -API TIP:31/31- Dear followers, when I created the list of daily API tips I forgot there are 31 days in January. Unfortunately I don’t have an API tip for you today. Instead, here’s a photo of Charmander at the conference last week in

    Poništi
  5. proslijedio/la je Tweet
    1. velj

    -API TIP: 31/31- Found a "limit" / "page" param? (e.g: /api/news?limit=100) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: limit=999999999) and see what happens :)

    Poništi
  6. proslijedio/la je Tweet
    1. velj
    Odgovor korisniku/ci

    Also the latest added API endpoint has a high chance of missing a specific security filter. Always make sure to the every single one of them ✊

    Poništi
  7. 1. velj

    -API TIP:31/31- Dear followers, when I created the list of daily API tips I forgot there are 31 days in January. Unfortunately I don’t have an API tip for you today. Instead, here’s a photo of Charmander at the conference last week in

    Poništi
  8. proslijedio/la je Tweet
    31. sij

    In light of nearly 20 years of widespread , we interviewed about why this continues to be such a rampant issue. Take a look at his thoughts:

    Poništi
  9. proslijedio/la je Tweet
    31. sij

    -API TIP:30/31- Got stuck during an API pentest? Expand your attack surface! If the API has mobile clients, download old versions of the APK file to explore old/legacy functionality and discover new API endpoints.

    Prikaži ovu nit
    Poništi
  10. proslijedio/la je Tweet
    31. sij

    Remember: companies don’t always implement security mechanisms from day one && DevOps engineers don’t often deprecate old APIs. Leverage these facts to find shadow API endpoints that don’t implement security mechanism (authorization, input filtering & rate limiting)

    Prikaži ovu nit
    Poništi
  11. 31. sij

    Remember:companies don’t always implement security mechanisms from day one && DevOps engineers don’t often deprecate old APIs. Leverage these facts to find shadow API endpoints that don’t implement security mechanism (authorization, input filtering & rate limiting)

    Poništi
  12. 31. sij

    Download old APK versions of android apps:

    Prikaži ovu nit
    Poništi
  13. 31. sij

    -API TIP:30/31- Got stuck during an API pentest? Expand your attack surface! If the API has mobile clients, download old versions of the APK file to explore old/legacy functionality and discover new API endpoints.

    Prikaži ovu nit
    Poništi
  14. proslijedio/la je Tweet
    30. sij

    Thanks for providing API testing resources(tips) There aren't many info about API testing but your tups and this blog post is awesome to learn API Testing

    Poništi
  15. 30. sij

    -API TIP:29/30- APIs expose the underlying implementation of the app. Pentesters should leverage this fact to better understand users, roles, resources & correlations between them and find cool vulnerabilities & exploits. Always be curious about the API responses.

    Poništi
  16. 30. sij

    Join us next week and learn about API Security & the OWASP Top 10 for APIs

    Poništi
  17. proslijedio/la je Tweet

    API or IPA? Date: Friday 02/07/2020 at 3P EST (12P PST) Registration Link: Join who is a leader OWASP API Security Project. Linkedin Post:

    Poništi
  18. proslijedio/la je Tweet
    28. sij

    -API TIP:27/31- BE Servers no longer responsible for protecting against XSS. APIs don't return HTML, but JSON instead. If API returns XSS payload? - E.g: {"name":"In<script>alert(21)</script>on} That's fine! The protection always needs to be on the client side

    Poništi
  19. proslijedio/la je Tweet
    29. sij

    -API TIP:28/31- Pentest for .NET apps? Found a param containing file path/name? Developers sometimes use "Path.Combine(path_1,path_2)" to create full path. Path.Combine has weird behavior: if param#2 is absolute path, then param#1 is ignored. - Leverage it to control the path -

    Prikaži ovu nit
    Poništi
  20. 29. sij
    Prikaži ovu nit
    Poništi
  21. 29. sij

    -API TIP:28/31- Pentest for .NET apps? Found a param containing file path/name? Developers sometimes use "Path.Combine(path_1,path_2)" to create full path. Path.Combine has weird behavior: if param#2 is absolute path, then param#1 is ignored. - Leverage it to control the path -

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·