Weekly Pentest Tips & Tricks
- Buy now
- Learn more
Pentesting

0x00 - Sandbox Escape in Point of Sale (POS)
0x01 - Triggering XSS using Custom Named Tags
0x02 - Finding Broken Authentication in 30 Seconds
0x03 - Boosting the Impact of Your Vulnerabilities
0x04 - Reading Arbitrary Chat Message from Intercom Widgets
0x05 - Dumping Database Tables using Underscore Wildcards
0x06 - Exfiltrating JWTs from Source Page
0x07 - Crashing GraphQL using Recursive Queries
0x08 - Improving Folder Enumeration Discovery
0x09 - Bypassing CAPTCHA - Techniques
0x11 - Injecting Payloads in Email Address Fields
0x12 - Formatting XSS Payloads for XML Forms
0x13 - Processing Payload Lists for Better Results
0x14 - Discovering Hidden Endpoints in Link Headers
0x15 - Scanning Internal Networks using SSRF
0x16 - Path Traversal - Techniques
0x17 - Exploiting Race Conditions
0x18 - Advanced Payload Injection using Burp Hackvertor
0x19 - Taking Over Accounts using Open Redirect
0x20 - Pentesting Firebase using Artillery Fire
0x21 - Automated Discovery of Dangerous JS Functions
0x22 - Sending Phishing Links using Registration Forms
0x23 - Leaking Private Emails through Google SSO
0x24 - Finding Circular References using GraphQL Voyager
0x25 - OOB Template Injection in Phone Text Message
0x26 - Pentest Automation using Python and Burp Extension
0x27 - Spoofing Emails through Client-Side Bypass
0x28 - Taking Over Azure Subdomain at Scale
0x29 - JWT Pentest Automation
0x30 - Finding Hidden API Endpoints in WADL Files
0x31 - Pentest Automation using Bamdas Filters
0x32 - Exploiting Command Injection in Azure Webapps
0x33 - Hiding Uninteresting HTTP Headers
0x34 - Bypassing File Upload in Google Firebase Storage
0x35 - Phishing Email using HTML Injection
0x36 - Reading Arbitrary Files using Login Wallpapers
0x37 - Bypassing REGEX Rules for Open Redirect
0x38 - Exploiting Range Header for Directory Listing
0x39 - Finding SSRF Vulnerabilities in PDF Generators
0x40 - Abusing Information Leakage for Account Takeover
0x41 - Crashing Applications using Large Inputs
0x42 - Bypassing Authorization using 0-based UUIDs
0x43 - Exploiting DMARC Policies for Email Spoofing
0x44 - Abusing Lack of Email Verification
0x45 - Exploiting Online Compilers
0x46 - Weaponizing XSS for Maximum Impact
0x47 - Abusing Misconfigured CORS Policies
0x48 - Finding NPM Dependency Confusion
0x49 - Cracking JWT Tokens
0x50 - Generating Payloads using the SCAMMPERR Framework
0x51 - Automated Discovery of Injectable Parameters
0x52 - Injecting XSS Payloads in SVG Images
0x53 - Registering Accounts using Collaborator as Inbox
0x54 - Tracking Users with Image URLs
0x55 - No Collaborator? No Problem!
0x56 - Bypassing Domain Blacklisting with Azure DNS
0x57 - Missing Request Smuggling Vulnerabilities
0x58 - Findings and Checking Google Maps API Keys
0x59 - Bypassing Files Access using Referer Header in CDN
0x60 - Fuzzing Insertion Points with Burp Scanner
0x61 - Auto Modifying Requests on the Fly
0x62 - Spoofing Location for Fun and Benefits
0x63 - Inspecting Scanner Payloads in Burp Logger
0x64 - Pentesting Admin Accounts?
0x65 - Can't Find Dependency Confusion Vulns?
0x66 - Attack Surface Discovery using Timing Attacks
0x67 - Using Premium Features for Free
0x68 - Top 10 Attacks to Try Against AI Chatbots
0x69 - Finding CSRF through Methods Change
0x70 - Pentesting SIP Protocols
0x71 - RickRolling a Payment Terminal
0x72 - Stealing the AI Chatbot Prompt
0x73 - Websocket Pentesting Extension
0x74 - Bruteforcing UUIDs with Custom Made Lists
0x75 - Validating Leaked API Keys
0x76 - XSS through Phone Number Field
0x77 - Yet Another Way to Bypass 2FA?
0x78 - Hunting for Blind XSS in Seconds
0x79 - Hunting for Attack Paths in API Documentations
0x80 - Exploiting Race Conditions with Turbo Intruder
0x81 - Seven Techniques to Bypass 403
0x82 - Exploiting Hop-by-Hop Headers
0x83 - Hacking CI/CD Pipelines - Github Workflows
0x84 - Finding Only Exploitable CVEs
0x85 - Escalating Debug Log Pages
0x86 - Email Enumeration with Slack
0x87 - SQLMap Command Generator
0x88 - Attacking GWT-RPC Apps
0x89 - Triggering XSS using PostMessage
0x90 - XSS Through HREF URLs
0x91 - Invading the DOM
0x92 - Scanning Documentations with NotebookLM
0x93 - Bypassing URL Validation
0x94 - Three Things to Consider when SQLmap Fails
0x95 - How the Microsoft MFA was Bypassed
0x96 - Analyzing Token Randomness
0x97 - Is This in Scope?
0x98 - Using SOAPI to Scan OpenAPI Documentations
0x99 - Loop Denial of Service
0x100 - The Never-Ending Trial Period
0x101 - So You Decided to Password Spray?
0x102 - File Upload Bypasses for 2025
0x103 - What is Response Filter Denial of Service?
0x104 - Train Your (Hacker) Imagination
0x105 - The Offsec Toolkit
0x106 - Finding Backups From the Past
0x107 - Should We Avoid Burp Collaborator?
0x108 - Bypassing Geolocation Restrictions
0x109 - Getting Started with Exploit Development
0x110 - Exploiting Typos in DNS Records
0x111 - Leaking YouTube Channels Emails for $10,000
0x112 - $4,000 Bounty for Clickjacking?
0x113 - What is Burp's Shadow Repeater
0x114 - Is Nuclei AI Worth It?
0x115 - How Reflected XSS is Exploited in Real World
0x116 - One Thousand Dollars for A Privacy Loophole
0x117 - Account Takeover Using Email Assistants
0x118 - Exploiting Dangling JS Dependencies
0x119 - Is Google Sabotaging Hackers?
0x120 - Reverse Engineering APIs
0x121 - Bypassing File Upload Filters with ZIP Archives
0x122 - Hunting for Orphaned Privileges
0x123 - How a Deleted Page Gave me Owner Permissions
0x124 - How to Find Your Crush on Dating Apps
0x125 - Unveiling the Hidden Secrets of the Web
0x126 - Formatting XSS Payload Lists for Fun and Profit
0x127 - Denial of.. Wallet?!
0x128 - What is a Model Context Protocol (MCP)
0x129 - Honey, I'm h̶o̶m̶e̶ payload!
0x130 - Bypass Client-Side Encryption with JS Debugger
0x131 - How to Exploit Slopsquatting
0x132 - Turning Password Reset Tokens into Backdoors
0x133 - Authentication Bypasses for 2025
0x134 - Are Browsers Sabotaging Hackers?
0x135 - Finding Secrets in the Github's "Garbage"
0x136 - API Scanning Automation FTW
0x137 - Optimizing Burp Scanner
0x138 - Vibe Coding -> More Hacking
0x139 - Look Where Others Haven’t
0x140 - Making Exploits More Reliable

0x136 - API Scanning Automation FTW

If you are into API pentesting, automation and scanning - this post is for you.

Here's a quick guide on how to use Nuclei, Docker, OpenAPI Documentations and Burp to automate the scanning process.

The pipeline looks like this:

Run Nuclei in Docker -> Use Nuclei -input-mode to scan endpoints parsed from OpenAPI Document -> Proxy the requests through Burp -> Inject the Authorization/Cookies on the fly -> Combine with Burp Extensions -> Review results in Nuclei console & Burp History

How to do it

Obtain the OpenAPI documentation of your target - either the API provides this on their documentation website, or you can search for it on SwaggerHub, or you can use a "API reverse engineering" tool like Burp2API or Postman Interceptor. I suggest using OpenAPI version 3 because Nuclei will look for the "servers" tag within the documentation, and version 2 don't have it
Set up Burp listening interfaces - if we want to proxy traffic from Nuclei Docker through the Burp instance that runs on our host OS we have to make sure that Burp listens to all interfaces as shown below

Pull Nuclei Docker image and run the container - for this I use DockerDesktop on Windows and run the command within its terminal. The host.docker.internal in the -proxy is how we tell Docker to use the Host as a proxy. If you use Windows/Linux you won't have to change it
```
docker run --rm -v "C:\path\to\openapi.json:/openapi.json" projectdiscovery/nuclei -l /openapi.json -im openapi -V "Authorization=123" -skip-format-validation -proxy http://host.docker.internal:8080
```
Update the API Servers - open the OpenAPI Documentation and search for the servers tag -> make sure to set the domain where the API is hosted:
```
"servers":[{"url":"https://api.example.com"},{"url":"https://api.us-east-2.test.example.cloud"},{"url":"http://localhost:8000"}]
```
Update the volume path - -v "C:\path\to\openapi.json:/openapi.json") to match the place where you saved the OpenAPI documentation on the host OS
Update the variables values - add/remove the variables (-V "Authorization=123") based on your OpenAPI requirements. Additionally you can add the -skip-format-validation flag. Nuclei will throw an error if it can't find a mandatory variable
Match & Replace in Burp - Add a match & replace rule in Burp to inject your Authorization tokens, CSRF tokens and any other HTTP header that may be required. For whatever reason the -V "Authorization=123" didn't do that, but we can use Burp -> Automodifying Requests on the Fly
Enable Burp Extensions - before you proceed with the Nuclei scan, you can also enable Collaborator Everywhere and Autorize to increase chances of finding SSRF and Broken Authorization/Authentication vulnerabilities

Now you should have all the endpoints documented in the OpenAPI file automatically tested by Nuclei & Burp Extensions