...
What did you accomplish this past week?
API Pentesting: Extracted all API URL's with different parameters and tested them with different user permissions using automate IDOR workflow built in trickest (also wrote a blog for the same).
Tested API's for SQL Injection: Found 5 error-based SQL Injection vulnerability in client, loans, dataTable API's.
I got help and guide from mentor to test web-app dependencies for vulnerabilities and to check their licenses if they are using GPL/APGL.
Found open directories leaking all plugins, log files.
Created a draft PR in fineract to mitigate a log injection vulnerabilityI was analyzing web-app codebase potential security issues and tried to escalate bugs from there.
Analyzed CVE’s for the open software versions I found.
Tested some self service-API’s.
What will you do this upcoming week?
Continue with API Pentesting and create some more PR's in fineractI will utilize the power of nuclei templates and try to escalate the found vulnerabilities to have a greater impact.
What obstacles are impeding your progress?
None
Would you like help from some mentor for this task?
Not right now
...