Dashboard Hunt Learn Certs Journal Flashcards

Search

Press ESC to close
Notifications

No new notifications

Settings

Study Preferences

Daily Study Goal Hours per day
Flashcard Session Size Cards per session

Notifications

Study Reminders Daily reminder to study
Flashcard Due Alerts When cards are due for review

Display

Theme Color scheme
Back to Modules
api

WebSocket Security

WebSocket protocol security and testing

0%
45 min
Tier 2
5 flashcards

Key Concepts

Security Mindset

Think like an attacker - what can go wrong, what can be abused?

Defense in Depth

Multiple layers of security controls, no single point of failure.

Least Privilege

Grant minimum permissions needed for functionality.

Trust Boundaries

Identify where data crosses trust levels and validate at each boundary.

Learning Material

What You'll Learn

WebSocket protocol security and testing

Security Mindset

Think like an attacker - what can go wrong, what can be abused?

Defense in Depth

Multiple layers of security controls, no single point of failure.

Least Privilege

Grant minimum permissions needed for functionality.

Trust Boundaries

Identify where data crosses trust levels and validate at each boundary.

API Security Research

Purpose: Deep understanding of API vulnerabilities for bug bounty hunting
Priority: HIGH (API testing is core to modern bug bounty)
Last Updated: December 28, 2025

Contents

Core Concepts

  1. REST API Security
  2. GraphQL Security
  3. WebSocket Security

Attack Techniques

  1. REST API Attacks
  2. GraphQL Attacks
  3. WebSocket Attacks
  4. Rate Limiting Bypass

Case Studies

  • Case Studies Index

Quick Reference

OWASP API Security Top 10 (2023)

Rank Vulnerability Your Agent
API1 Broken Object Level Authorization h1-auth-agent
API2 Broken Authentication h1-auth-agent
API3 Broken Object Property Level Authorization h1-api-agent
API4 Unrestricted Resource Consumption h1-api-agent
API5 Broken Function Level Authorization h1-auth-agent
API6 Unrestricted Access to Sensitive Business Flows h1-race-agent
API7 Server Side Request Forgery h1-api-agent
API8 Security Misconfiguration h1-hunter-agent
API9 Improper Inventory Management h1-recon-agent
API10 Unsafe Consumption of APIs h1-api-agent

Testing Priority

Attack Type Payout Range Difficulty
IDOR via API $5K-$50K Medium
GraphQL Injection $3K-$15K Medium
Mass Assignment $1K-$5K Easy
Rate Limit Bypass $500-$3K Easy
SSRF via API $5K-$20K Medium
  • Previous: 01_auth_and_access
  • Next: 03_race_and_logic
  • Main: Knowledge Base README

Practical Examples

Practice examples coming soon. Check the Certs section for related labs.

Test Questions

Q

What is OWASP API Top 10?

Q

How do you enumerate API endpoints?

Q

What is excessive data exposure in APIs?

Test Your Knowledge

Review these flashcards to reinforce your understanding

Q

What is OWASP API Top 10?

A

Tap to reveal

Q

How do you enumerate API endpoints?

A

Tap to reveal

Q

What is excessive data exposure in APIs?

A

Tap to reveal

Start Flashcard Review

Your Progress

Started
2
Halfway
3
Complete

Study Tips

  • Read through the concepts first
  • Try the practice labs hands-on
  • Review flashcards daily
  • Document what you learn in your journal