Dana Epp's Blog
Security (de)engineering for fun and profit
Learn how to use contextual discovery and path prediction to find hidden API endpoints during your security testing.
Learn how to use the generative AI models built into Postman to quickly build tests to check for vulnerabilities in the APIs you are testing.
Learn how to leverage a command injection vulnerability found in an API to gain a reverse shell to a server with nothing more than cURL.
Learn how to set up your own wiretaps on compromised web servers to remotely collect sensitive data for use in API privesc.
Learn how to get the most out of the reporting capabilities built into PortSwigger’s Burp Suite Professional.
Learn how to use server-side prototype pollution (SSPP) to abuse an API written in NodeJS for privilege escalation and remote code execution.
Learn how to look for those old forgotten zombie APIs that can be a goldmine of vulnerabilities and security loopholes.
Learn how to find vulnerabilities in multi-tenant apps and APIs that expose cross-tenant data leaks (CTDL) during your security testing.
Discover ways to modify API requests during testing to corrupt data and manipulate code flow, allowing you to uncover new vulnerabilities.
Learn how to find and extract sensitive secrets and source code to APIs hidden within the layers of Docker container images.