Hacking an API endpoint is the web request sibling of SQL injection. It is a place where SQL Injection best practices – parameterization and sanitization of input can be bypassed by directly interacting with a server in JSON or XML (or whatever vernacular your endpoint may spit out)
This would have interested me also…partner.steamgames.com/partnercdkeys/assignkeys/
This (and another more ~classic~ SQL injection attack) were discovered by a HackerOne guy who received bounties for his efforts and the full disclosure to the Steam company.
https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/
https://hackerone.com/reports/383127
https://partner.steamgames.com/
https://partner.steampowered.com/login/?goto=%2F
Leave a Reply
You must be logged in to post a comment.