Рет қаралды 13,908
In this video we cover how to read JSON and XML specifically to find information disclosure vulnerabilities. We cover how to approach a target when a URL returns JSON or XML, how to know if you've found an info disclosure - and how to exploit it! I want to really demystify JSON/XML and make you feel more at ease with how JSON/XML works and how you can read it. We also cover other vulnerabilities that might exist when a URL returns JSON or XML.
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Further reading:
- JSON Formatter: jsonformatter.org
- JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions: hackerone.com/reports/509924
- An invite-only's program submission state is accessible to users no longer part of the program: hackerone.com/reports/800109
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users: hackerone.com/reports/724944
- Team member with Program permission only can escalate to Admin permission: hackerone.com/reports/605720