MODULE_04 // ENDPOINT ENUMERATION

APIs, REST & the Modern Web

OPERATIONAL OBJECTIVE

Welcome back. Refresh parameters checklist: you now dominate raw HTTP transactions, header structures, storage scopes, cookie states, and cryptographic JWT properties. This node leverages those fundamentals to intercept how modern single-page apps talk to their logic databases—because almost every high-payout bug bounty target today is entirely API-driven. We will dismantle the backend assumptions that leave internal object bindings and parameter schemas naked to simple intercept vectors.

Concept 1: The Monolithic Decoupling Evolution

An Application Programming Interface (API) represents a decoupled framework of structured URLs built to return data objects rather than graphical HTML views. Traditional monolithic web layouts generated layout views on the server engine. Modern structures (React, Vue, mobile apps) render purely as a client-side layout shell that queries background logic configurations dynamically via JSON payloads.

Actor

Transaction Layer Stream

Browser Engine

GET /api/users/42 → Isolate resource context Bearer Token attached

API Gateway

Parses authorization route rules → queries object mapping schema

Data Layer

Returns unformatted database row → converts to raw JSON payload string

HTTP Intercept StreamGET /api/v2/users/42 HTTP/1.1
Host: app.target.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Accept: application/json
X-Client-Version: 4.12.0

JSON Serialization Payload{
  "id": 42,
  "name": "John Doe",
  "email": "john@example.com",
  "role": "user",
  "is_verified": true,
  "tenant_id": 1029,
  "created_at": "2025-01-14T08:22:11Z"
}

Critical Vulnerability Realization

Because the application strips out cosmetic presentation logic at the API level, developers frequently forget to duplicate access-control barriers on the backend endpoints. They wrongly assume that because a button is hidden in the React front-end UI, a regular user cannot query the backend route. This false assumption opens the door directly to Broken Object Level Authorization (BOLA) and parameter tampering matrices.

Concept 2: REST Conventions & Routing Anomalies

Representational State Transfer (REST) maps functional business operations to standard HTTP verbs. Dissecting architectural layout rules allows you to trace authorization inconsistencies across parallel routes. Security states often shift randomly when an app converts actions into distinct verb calls:

API Route Pattern	Intended Action	Exploitation Analysis Matrix
`GET /api/users`	List all records	Look for missing pagination parameters. Append query flags like `?limit=100000`, `?showAll=true`, or `?export=csv` to leak entire multi-tenant structures via unindexed collection scans.
`GET /api/users/42`	Read specific record	IDOR Boundary (BOLA): Swap identifier numbers (e.g., `/43`, `/uuid-string`). Check if the application layer maps the resource context without validating active session ownership checks.
`POST /api/users`	Create record	Test for blind object injection. Submit duplicate creation parameters, multi-nested array sets, or structural null arrays to force syntax leakage, schema definitions, or unlinked profile registers.
`PUT /api/users/42`	Overwrite record	Attempt full account model overrides. Supply all required user schemas plus modified privilege parameters to override target permissions globally.
`PATCH /api/users/42`	Modify specific fields	Target specific sub-properties. This is an excellent target configuration for mass assignment updates against specific parameters inside single rows (e.g., changing billing tiers).
`DELETE /api/users/42`	Purge element	Test without token blocks or substitute target context values to witness if unauthenticated players can drop database items or wipe administrative tracking configurations.

Hunter's Edge: Route Version Hunting & Parameter Pollution

If a modern endpoint at /api/v3/users/42 is completely secured against authorization bugs, manually downgrade the API path version line inside your interceptor tool to /api/v2/ or /api/v1/. Engineering groups regularly leave old, unpatched API endpoints active on the same infrastructure host box to preserve backward compatibility for old legacy mobile apps or desktop clients.

Concept 3: Interactive BOLA / IDOR Lab Terminal

Broken Object Level Authorization (BOLA) occurs when an API endpoint exposes an identifier that points to a specific record, but fails to check whether the requesting user actually owns or has permission to view that record.

⚡ Dynamic Training Node: BOLA Interception Sandbox

You are currently logged in as User ID 1084 with a standard user session token. Intercept the outbound request stream and tamper with the resource identifier to view adjacent tenancy files:

Interceptor Outbound Configuration Target Endpoint URL: Authorization Header Injection:

Live Interceptor HTTP Monitor Buffer

Awaiting raw network firing routine...

Quick Load: Target Adjacent Enterprise User (ID 1085)

Quick Load: Target System Administrator Record (ID 999)

Concept 4: Harvesting Hidden API Endpoints

Production environments frequently run buried, undocumented tracking pipelines, debug toggles, and internal microservice targets that are completely omitted inside normal interface loops. Discover them using these tactical harvesting methodology channels:

DevTools Network Filter Matrix: Boot your system terminal panel, select the Network view, and isolate traffic using the **"Fetch/XHR"** filter mask while cycling internal software steps or clicking multi-tenant navigation menus.
Source Artifact JavaScript Grepping: Download the compiled JavaScript bundle assets via the Sources panel, deploy a global search trace (Ctrl + Shift + F), and parse string sequences using regular expressions or direct footprints:
```
/api\/v[0-9]/  |  "fetch\("  |  "axios\."  |  baseURL:  |  \.json  |  path:"/api/
```
API Schema Spec Documentation Dumps: Manually append directory wordlists against the application target route matrix to look for unprotected developer documentation systems:
```
/api/swagger.json  |  /swagger/ui/  |  /api/v1/docs  |  /v2/api-docs  |  /v1/swagger.yaml  |  /api/developer.json
```

Concept 5: JSON Object Binding & Mass Assignment

Mass Assignment (Broken Object Property Level Authorization) happens when a software framework blindly copies a client's entire incoming JSON object data array directly into an internal database structure without filtering out restricted system parameters.

Target Internal User Schema Mapping Data{
  "user": {
    "id": 42,
    "role": "user",
    "is_admin": false,
    "account_tier": "free",
    "email": "mregg@test.com"
  }
}

Exploitation Mechanics

When updating your profile properties via a PATCH /api/v2/settings request, look closely at what the server returns in the body response. If it returns the entire user data model object structure (including privileged internal variables like "is_admin": false or "role": "user"), append those exact hidden parameters directly into your next outbound request body payload. If the application tier handles object binding improperly, it will map your injected values directly to the live production database engine row.

⚡ Dynamic Training Node: Mass Assignment Lab

You are executing a standard profile modification request. Inject hidden administrative variables to hijack account permissions directly:

Outbound Intercepted Payload Options

Modify your email parameter:

Inject an unexposed system flag payload field:

Live Server DB State Engine Response

            Click Dispatch to run API verification routines.
          

Concept 6: GraphQL Gateways & Introspection Probing

GraphQL architectures replace multiple separate REST routes with a single centralized communication gateway endpoint (typically /graphql or /v1/graphql). Instead of using fixed URL pathways, the frontend client submits raw queries defining the exact data layout it needs.

Standard GraphQL Query TransmissionPOST /graphql
Content-Type: application/json

{"query": "query { user(id: 42) { name profile_avatar email } }"}

Critical GraphQL Vulnerability Vectors

Production Introspection Leaks: If the internal __schema validation feature is left turned on in production setups, anyone can query the backend for its entire technical setup map, type schema layout, available mutations, and operational parameters list.
Field-Level Authorization Bypass: Development teams frequently check authorization permissions on top-level root queries (e.g., verifying if you can access a user object context), but fail to enforce access checks on nested sub-fields or linked relational database object maps.

⚡ Dynamic Training Node: GraphQL Schema Probe Terminal

Issue a structural Introspection Query string against a dark mock /graphql endpoint to extract structural maps:

Construct Request Payload Statement

API Output Buffer

Awaiting GraphQL schema query verification data...

Real-World API Bounty Breakdowns

Critical Severity // CVSS 9.8

Mass Assignment to Account Takeover via Profile Patch

A bug bounty hunter found that adding "parent_account_id": 1 to an API user-update endpoint mapped the changes directly to the database layer. This instantly linked their profile to the target corporate master organization tier, providing full admin access control without password verification steps.

$8,500 Payout

High Severity // CVSS 8.5

GraphQL Introspection Leaks Hidden Beta API Mutations

By sending a standard introspection query payload to an enterprise corporate gateway system, a hunter extracted an undocumented administrative mutation called createNewBillingTier(), which allowed them to modify operational billing variables to null states.

$4,200 Payout

High Severity // CVSS 8.1

BOLA / IDOR within Unlinked API Invoice Exports

Tracing background Fetch calls revealed a route at /api/v1/export/invoice_id. Modifying sequential digits leaked PDF billing statements of parallel tenants without checking active cookie state associations.

$3,000 Payout

Critical Severity // CVSS 9.3

API Authentication Bypass via Null-Value Array Injection

Submitting a body payload consisting of {"user_id": [null]} instead of an expected integer token tricked the backend type validator into ignoring verification logic routines, returning a valid master administrator bearer token object.

$12,000 Payout

Chapter 4 Operational Roadmap Checks (0 / 10 Complete)

Theoretical References

[READ] Review structural concepts within MDN: Client-Side Web APIs Introduction.

[READ] Absorb REST mapping rules via freeCodeCamp: What is a REST API Architecture Guide.

[READ] Study the detailed exploitation blueprints on PortSwigger: API Testing & Validation Defect Models.

Hands-On Field Replays

[DRILL 01] Pivot onto a modern application interface. Initialize DevTools -> Network, filter explicitly via Fetch/XHR parameters, cycle content data feeds, and isolate incoming data calls.

[DRILL 02] Inspect one distinct API payload response stream. Map and document individual component tracking field keys directly inside your test sheets.

[DRILL 03] Isolate an outgoing data variable request, extract the command layout using Copy as cURL, and modify query identifiers manually within an external command shell context.

[DRILL 04] Execute manual parameter mapping attacks directly into your main address console bar, probing for exposed documentation nodes: /api/, /swagger.json, or /graphql.

[DRILL 05] Capture an active API transaction, replace content-types from application/json to application/xml, and audit if the engine drops down parsing barriers or outputs verbose syntax debugging tracks.

Core Understanding Checks

Verification Quest 01: API Vulnerability Footprint

Can you explain why the modern web application model renders typical HTML view source tracing obsolete, shifting the complete attack surface into background JSON endpoints?

Verification Quest 02: Mass Assignment Logic Mechanics

Define the core flaw that causes Mass Assignment inside update routes and how an application layer improperly maps unvalidated incoming object data keys into production rows.