Day #27 of #100DaysOfCyber | Pratique : Reverse Engineering d'API avec Postman Hier, on a vu la théorie sur le Reverse Engineering d'API lorsque la documentation est absente. Aujourd'hui, je suis passé à la pratique J'ai cherché les outils les plus simples et efficaces pour automatiser tout ça, et j'ai lancé mes tests sur crAPI (l'environnement volontairement vulnérable d'APIsec University) en utilisant Postman. Au lieu de capturer et de copier les liens un par un manuellement, j'ai configuré l'extension Postman Interceptor. C'est un outil ultra puissant qui fait office de proxy et qui permet d'automatiser complètement la phase de collecte. Le déroulement : ➖ 1. La configuration de l'environnement : J'ai d'abord créé un Workspace dédié sur mon application Postman pour bien organiser mes futures requêtes. ➖ 2. Le filtrage du trafic : J'ai démarré le proxy via l'extension du navigateur. Pour éviter d'être pollué par les requêtes de mes autres onglets (YouTube, recherches, etc.), j'ai spécifié uniquement le domaine cible de crAPI dans les filtres de l'extension. Seul le trafic qui m'intéresse est intercepté. ➖ 3. La collecte (Sniffing) : Une fois le proxy actif, j'ai simplement navigué sur l'application crAPI et manipulé toutes ses fonctionnalités (connexion, profil, boutique, etc.). En arrière-plan, Postman Interceptor a capturé chaque appel HTTP de manière transparente. ➖ 4. L'organisation : Quelques instants plus tard, je suis retourné sur Postman. Toutes les requêtes y étaient enregistrées automatiquement ! Il ne me restait plus qu'à les trier et les organiser pour reconstruire proprement la structure des endpoints du backend. Avec cette méthode, on obtient en quelques minutes une copie conforme de l'API (routes, headers, structures JSON). C'est la base parfaite pour commencer à chercher des vulnérabilités logiques ou des IDOR.. #Un dev qui comprend la sécurité. #Un pentester qui comprend le code. @_makh0u #Cybersecurity #WebSecurity #APISecurity #Postman #APIsecUniversity #crAPI #ReverseEngineering #Backend #FullStack linkedin.com/posts/mahmoudba…

We've been building something new 👨‍💻 Tomorrow we are ready to share it.  Follow us and see you tomorrow.  #Reflectiz #Cybersecurity #WebSecurity

Understanding Client-Server Architecture — the foundation of every web app. Here's what every developer and security researcher should know: When you type a URL and hit Enter, a lot happens in milliseconds: → DNS resolves the domain to an IP → TCP handshake establishes a connection → Browser sends an HTTP request → Server processes it and returns a response → Browser renders HTML, builds the DOM, executes JS Frontend handles what you see (HTML, CSS, JS). Backend handles the logic — auth, databases, APIs. Both sides have to work together on every single request. On the infrastructure side: → Nginx/Apache serve HTTP requests → Reverse proxies sit in front of backends, handle SSL, and often host WAFs → Load balancers distribute traffic so no single server breaks under pressure From a security perspective, every one of these layers can be misconfigured: - Reverse proxies introduce SSRF and header injection risks - Load balancers can leak server info in response headers - DOM manipulation is where XSS starts Understanding the full request lifecycle isn't just dev knowledge — it's the baseline for web pentesting and bug bounty hunting. Still learning and sharing as I go. #BugBounty #WebSecurity #CyberSecurity #Infosec #LearnInPublic #WebDevelopment

🛡️ Speaker Spotlight: Scott Galloway, an engineer who builds systems that actually ship ,at #TrailBlazor2026
💬 Session: Advanced Bot Detection For Everyone
🎟️ Register now: trailblazor.net/#register
#BotDetection #OpenSource #WebSecurity #dotnet #Devessence

Session hijacking doesn't need your password. Just your session token. Steal the token → bypass authentication → access everything. How it works and how to stop it: ssldragon.com/blog/what-is-s… #CyberSecurity #WebSecurity

Bug Bounty & Web Security Course 🐞💥 Learn reconnaissance, Burp Suite, SQLi, XSS, SSRF, CORS, File Inclusion, Security Misconfigurations, VAPT Automation, and Vulnerability Reporting. 📥 Drive Folder: drive.google.com/drive/mobil… #BugBounty #WebSecurity #Pentesting #EthicalHacking #BurpSuite #SQLi #XSS #SSRF #VAPT #CyberSecurity

HTTP status codes every web security beginner should know: ✅ 200 OK — Request worked successfully 🆕 201 Created — New resource was created 🔁 301 Moved Permanently — Page moved forever ➡️ 302 Found — Temporary redirect 🚫 400 Bad Request — Client sent a bad request 🔐 401 Unauthorized — Login/authentication required ⛔ 403 Forbidden — Access denied 🔎 404 Not Found — Resource does not exist ⚔️ 405 Method Not Allowed — HTTP method blocked 💥 500 Internal Server Error — Server-side error 🛠️ 502 Bad Gateway — Bad response from upstream server ⏳ 503 Service Unavailable — Server is down/overloaded 🌐 504 Gateway Timeout — Server took too long to respond Web hacking starts with understanding responses. #WebSecurity #CyberSecurity

Auth bugs pay the most in bug bounty. Most hunters never touch them, because they never actually understood how auth works. In this video, I break down web auth the way the developer who built it sees it. Sessions, JWTs, OAuth 2.0, the Authorisation Code Flow, PKCE, and OpenID Connect. Why each protection exists, what it defends, and the exact bug that shows up when it's missing. Auth For Hackers youtu.be/csKveMxn8rA #BugBounty #WebSecurity #EthicalHacking #AmrSec #OAuth #JWT #OIDC

See what security teams say about PCI DSS compliance with Reflectiz 👉 hubs.ly/Q04k_DNR0 #Reflectiz #Cybersecurity #PCI #G2 #WebSecurity #Compliance

🚨 Weekly Content Drop 🚨 This week’s drop brings fresh content across OSINT, threat hunting, Windows, and web. 🦊 KitsuneHook — New Sherlock Difficulty: Easy Creator: 0iQ Tech: Google Knowledge domains: Threat Intelligence, Threat Hunting, OSINT Investigate a multi-stage campaign targeting a Japan-based manufacturing subsidiary. What begins with SQL injection on an ERP system escalates into web shell deployment, advanced malware, MSP compromise, and suspected links to Winnti activity against Japanese manufacturing, materials, and energy sectors. Your mission: investigate the “RevivalStone” campaign, identify the threat actors, and dissect their toolchain. Also dropping this week: 🖥️ Checkpoint — New Machine Windows | 30 points | Releases 13 Jun 2026 🍽️ Bobby’s Bistro — New Challenge Easy | Web New week. New intelligence. New trails to follow. #HackTheBox #HTB #WeeklyContentDrop #Sherlock #ThreatIntelligence #ThreatHunting #OSINT #DFIR #Windows #WebSecurity #CyberSecurity

After a few days of learning and grinding through previous labs, it's time for a new challenge. Starting the Authentication labs on PortSwigger today. Let's see what lessons, mistakes, and discoveries are waiting ahead. 😁 #WebSecurity #Authentication #BugBounty #PortSwigger

XVWA: A Deliberately Vulnerable Web Application for Learning Offensive Web Security 🛡️💀 🔗 github.com/s4n7h0/xvwa #WebSecurity #CyberSecurity #BugBounty #Pentest #OWASP #XVWA #AppSec

youtube.com/watch?v=8tlsopDC… #CyberSecurity #AccessControl #BugBounty #WebSecurity #OWASP #PortSwiggerlabs #EthicalHacking #PenetrationTesting #WebAppSecurity #BrokenAccessControl #BugBountyHunter #Appsec #infosec #informationsecurity #bugbountytips #applicationsecurity

The internet's biggest secret? HTTP forgets. Cookies remember. That's why you log in once instead of 100 times. #WebSecurity #HTTP #CyberSecurity

Day #26 of #100DaysOfCyber | Sécurité Dev : Le Reverse Engineering d’API Hier, on a vu comment une documentation d'API oubliée en prod pouvait détruire la sécurité d'un site. Mais en situation réelle, la doc est souvent désactivée. Alors, comment fait un pentester pour attaquer une API s'il n'a pas le mode d'emploi ? C'est là qu'intervient le #Reverse #Engineering d'API. Le concept est simple : on va observer passivement comment l'application frontend discute avec son backend pour deviner et reconstruire la structure de l'API, ses routes et ses paramètres cachés. 3 étapes pour Reverse Engineering d'API : ➖ 1. L'analyse du trafic : On utilise un proxy comme Burp Suite pour intercepter toutes les requêtes HTTP/HTTPS générées lorsqu'on clique sur le site. On note la structure des URLs (ex: /api/v2/products/10) et le format des données (JSON, XML). ➖ 2. Deviner la structure : Les développeurs suivent souvent des conventions de nommage (REST). Si on voit une route GET /api/v1/users/42, on peut légitimement tester l'existence de : - GET /api/v1/users (pour lister) - POST /api/v1/users (pour créer) - DELETE /api/v1/users/42 (pour supprimer) ➖ 3. Le Fuzzing de paramètres : Même sans doc, on peut deviner les variables acceptées par le backend. Si une mise à jour de profil envoie {"name": "Mahmoud"}, on va tenter d'injecter des clés cachées comme {"role": "admin"} ou {"is_premium": true} (le Mass Assignment) pour voir comment le serveur réagit. Pourquoi c'est crucial pour un Dev ? Beaucoup de devs pensent encore que si une route d'API n'est pas écrite sur le site ou dans une doc publique, personne ne la trouvera. Un attaquant motivé mettra quelques mn surtout avec les outils à cartographier vos endpoints backend juste en regardant les requêtes réseau de son navigateur. C'est pourquoi il faut un contrôle d'accès strict sur chaque route, documentée ou non #Un dev qui comprend la sécurité. #Un pentester qui comprend le code. @_makh0u #Cybersecurity #WebSecurity #APISecurity #ReverseEngineering #PortSwigger #Backend #FullStack

XVWA: A Deliberately Vulnerable Web Application for Learning Offensive Web Security 🛡️💀 XVWA provides a hands-on lab packed with vulnerabilities like SQLi, XSS, SSRF, CSRF, File Upload flaws, SSTI, IDOR, and more for safe security practice. 🔗 github.com/s4n7h0/xvwa #WebSecurity #CyberSecurity #BugBounty #Pentest #OWASP #XVWA #AppSec

no-obligation website demo webabcdesign.com #SmallBusinessWebDesign #WebsiteTrust #CustomerExperience #WebSecurity #Testimonials webabcdesign.com

🕷️ Open-Source Burp Suite Alternative: Caido Caido is a modern open-source platform for auditing web applications, built for security researchers, developers, and bug bounty enthusiasts. 🔹 Key Features: ▪️ Fast HTTP traffic inspection ▪️ Request & response analysis ▪️ Replay and workflow automation ▪️ Organized interface for web testing ▪️ Designed for efficient web application auditing Perfect for professionals and learners who want a modern and lightweight alternative for understanding web application behavior. ⚠️ For educational purposes and authorized security testing only. 💬 Comment CAIDO and I’ll send it to you. #CyberSecurity #WebSecurity #BugBounty #Infosec #OpenSource

Inside the CEH Curriculum — What You Will Actually Learn 🔐 Want to know what CEH training covers before you join? From footprinting and scanning to system hacking, web attacks, and wireless security, CEH helps you understand the core skills used in cybersecurity. At Hacker School, you will learn with practical training, real-time examples, and expert guidance to build strong ethical hacking skills. Get ready for the upcoming 15 June CEH Batch and start your cybersecurity journey with confidence. Connect with us to know more 📞 91 9599638639 📩 inquiry@hackerschool.in 🌐 hackerschool.in/ Follow us on:- 1. Facebook:- facebook.com/profile.php?id=… 2. Instagram:- instagram.com/hackerschoolin… 3. Youtube:- youtube.com/@HackerSchool-fm… 4. Linkdin:- linkedin.com/company/hackers… 5. Twitter:- x.com/hackerschoolin #CEH #CertifiedEthicalHacker #EthicalHacking #CyberSecurity #HackerSchool #CyberSecurityTraining #CEHTraining #InformationSecurity #WebSecurity #NetworkSecurity #SystemHacking #CyberCareer #EthicalHacker #CyberJobs #Hyderabad #Bangalore #OnlineTraining

That 🔒 padlock in your browser = SSL. No SSL → your site's data is a postcard anyone can read. SSL → a sealed, private letter. Browsers flag sites without it. Google ranks them lower. Check yours: does it say https://? #SSL #WebSecurity