Weekly Pentest Tips & Tricks
- Buy now
- Learn more
A01 - Broken Access Control

0x02 - Broken Auth in 30 Seconds
0x19 - Account Takeover via Open Redirect
0x40 - Info Leak to Account Takeover
0x42 - Auth Bypass with 0-based UUIDs
0x64 - Pentesting Admin Accounts
0x77 - Another Way to Bypass 2FA
0x81 - Seven Ways to Bypass 403
0x117 - Email Assistant Account Takeover
0x122 - Finding Orphaned Privileges
0x123 - Deleted Page Gave Me Owner Access
A02 - Cryptographic Failures

0x06 - JWT Exfil from Source Page
0x29 - Automating JWT Pentests
0x49 - Cracking JWT Tokens
0x75 - Validating Leaked API Keys
0x96 - Token Randomness Analysis
0x130 - Bypass Encryption w/ JS Debugger
0x132 - Reset Token to Backdoor Trick
A03 - Injection Attacks

0x01 - XSS via Custom Named Tags
0x11 - Email Field Payload Injection
0x12 - XML Formatted XSS Payloads
0x15 - SSRF for Internal Network Scanning
0x18 - Burp Hackvertor for Advanced Injection
0x25 - OOB Template Injection via SMS
0x35 - HTML Injection for Phishing Emails
0x36 - File Read via Login Wallpapers
0x52 - XSS in SVG Images
0x76 - XSS via Phone Number Field
0x80 - Race Conditions with Turbo Intruder
0x89 - XSS via PostMessage
0x90 - XSS via HREF URLs
0x91 - Invading the DOM
0x115 - Real-World Reflected XSS
0x126 - Formatting XSS Payloads
A04 – Insecure Design

0x17 - Exploiting Race Conditions
0x22 - Phishing via Signup Forms
0x37 - Open Redirect via REGEX Bypass
0x44 - No Email Verification Abuse
0x62 - Location Spoofing Tricks
0x67 - Unlocking Premium for Free
0x72 - Stealing AI Chatbot Prompts
0x99 - Loop Denial of Service
0x100 - Infinite Trial Period
0x116 - $1000 Privacy Loophole Exploit
0x141 - Why Pentesters Love Blacklists
A05 – Security Misconfiguration

0x05 - DB Dump via Underscore Wildcards
0x28 - Azure Subdomain Takeover at Scale
0x32 - Command Injection in Azure Webapps
0x34 - File Upload Bypass in Firebase
0x38 - Dir Listing via Range Header Abuse
0x41 - Crashing Apps with Large Inputs
0x47 - CORS Misconfig Exploitation
0x85 - Escalating Debug Log Pages
0x121 - File Upload Bypass via ZIPs
A06 – Vulnerable Components

0x48 - Finding NPM Dependency Confusion
0x53 - Using Collaborator as Email Inbox
0x65 - Can't Find Dependency Confusion?
0x83 - Hacking GitHub CI/CD Workflows
0x88 - Attacking GWT-RPC Apps
0x102 - File Upload Bypasses for 2025
0x108 - Bypassing Geolocation Restrictions
0x111 - Leaking YouTube Emails for $10K
0x112 - $4,000 Bounty for Clickjacking?
0x118 - Exploiting Dangling JS Dependencies
0x127 - Denial of.. Wallet?!
0x138 - Vibe Coding -> More Hacking
A07 – Identification and Authentication Failures

0x07 - GraphQL Crash via Recursive Queries
0x23 - Private Email Leak via Google SSO
0x27 - Email Spoof via Client-Side Bypass
0x43 - Email Spoof via DMARC Policy Abuse
0x59 - File Access Bypass via Referer in CDN
0x95 - How the Microsoft MFA was Bypassed
0x133 - Authentication Bypasses for 2025
Recon & Attack Surface

0x04 - Reading Intercom Widget Messages
0x14 - Hidden Endpoints via Link Headers
0x30 - Hidden API Endpoints in WADL Files
0x39 - SSRF in PDF Generators
0x58 - Google Maps API Key Testing
0x66 - Attack Surface via Timing Attacks
0x69 - Finding CSRF through Methods Change
0x79 - Attack Paths in API Docs
0x84 - Finding Only Exploitable CVEs
0x86 - Email Enumeration with Slack
0x98 - Scanning OpenAPI with SOAPI
0x110 - Exploiting Typos in DNS Records
0x106 - Finding Backups From the Past
0x120 - Reverse Engineering APIs
0x135 - Secrets in GitHub Garbage
Tooling & Automation

0x08 - Better Folder Enumeration
0x13 - Optimizing Payload Lists
0x20 - Firebase Pentest with Artillery
0x21 - Auto-Finding Dangerous JS Functions
0x24 - GraphQL Voyager for Circular Refs
0x26 - Burp + Python for Pentest Automation
0x31 - Automating Pentests with Bamdas
0x33 - Hiding Uninteresting HTTP Headers
0x51 - Auto-Finding Injectable Parameters
0x55 - No Collaborator? No Problem!
0x57 - Missed Request Smuggling Vulns
0x60 - Burp Fuzzing Insertion Points
0x61 - Modifying Requests on the Fly
0x63 - Reviewing Scanner Payloads in Burp
0x73 - Websocket Pentesting Extension
0x74 - UUID Bruteforce with Custom Lists
0x78 - Blind XSS Hunting in Seconds
0x87 - SQLMap Command Generator
0x93 - Bypassing URL Validation
0x101 - So You Decided to Password Spray?
0x105 - The Offsec Toolkit
0x113 - What is Burp's Shadow Repeater
0x114 - Is Nuclei AI Worth It?
0x128 - What's a Model Context Protocol (MCP)
0x136 - API Scanning Automation FTW
0x137 - Optimizing Burp Scanner
Creative, Strategic, and Mindset

0x00 - Sandbox Escape in Point of Sale (POS)
0x03 - Maximizing Vulns Impact
0x97 - Is This in Scope?
0x09 - Bypassing CAPTCHA - Techniques
0x16 - Path Traversal - Techniques
0x45 - Exploiting Online Compilers
0x46 - Weaponizing XSS for Maximum Impact
0x50 - Payload Gen with SCAMMPERR
0x54 - Tracking Users with Image URLs
0x56 - Domain Blacklist Bypass w/ Azure DNS
0x68 - Top 10 AI Chatbot Attack Ideas
0x70 - Pentesting SIP Protocols
0x71 - RickRolling a Payment Terminal
0x82 - Exploiting Hop-by-Hop Headers
0x92 - Scanning Docs with NotebookLM
0x94 - When SQLmap Fails: 3 Tips
0x103 - What's Response Filter DoS
0x104 - Train Your (Hacker) Imagination
0x107 - Should We Avoid Burp Collaborator?
0x109 - How to Write Exploits
0x119 - Is Google Sabotaging Hackers?
0x124 - Find Your Crush on Dating Apps
0x125 - Unveiling the Web's Secrets
0x129 - Honey, I'm h̶o̶m̶e̶ payload!
0x131 - How to Exploit Slopsquatting
0x134 - Are Browsers Sabotaging Hackers?
0x139 - Look Where Others Haven’t
0x140 - Making Exploits More Reliable
0x142 - Github Issues for Inspiration
Latest Tips & Tricks

0x138 - Vibe Coding -> More Hacking
0x139 - Look Where Others Haven’t
0x140 - Making Exploits More Reliable
0x141 - Why Pentesters Love Blacklists
0x142 - Github Issues for Inspiration

0x14 - Hidden Endpoints via Link Headers

Did you know you can find additional API endpoints during the recon phase by checking the HTTP Link headers in the server response?

Finding undocumented API endpoints is a critical part of the pentest recon process.

They can reveal vulnerable functions or features that are disabled in the user-interface, making them a great target for unauthorized access attacks.

Based on how the app is configured, it may be easy to overlook empty responses or 204 No Content statuses.

One less-known place to discover new endpoints is in the Link HTTP response headers.

While this is not very common, during one of my pentests I was able to find 25+ API endpoints using this technique, which greatly increased the attack surface.

How to do it

Navigate the app
Apply the Bambda filter linked below
Check the Notes tab for new endpoints

API-endpoints-in-Link-Response-Headers.bambda.txt (644 Bytes)