Traceable.ai
@traceableai
Followers
2,836
Following
186
Media
337
Statuses
1,623
The Leader in API Security
San Francisco, CA
Joined December 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
مدريد
• 1543229 Tweets
Madrid
• 522887 Tweets
Barca
• 232839 Tweets
#UFC308
• 187283 Tweets
#ElClásico
• 182902 Tweets
Mbappe
• 158448 Tweets
Lamine
• 106773 Tweets
#الهلال_التعاون
• 88286 Tweets
Bernabeu
• 85142 Tweets
Topuria
• 70765 Tweets
Lewandowski
• 70271 Tweets
Vini
• 61741 Tweets
Holloway
• 59727 Tweets
Khamzat
• 51451 Tweets
Raphinha
• 49553 Tweets
Whittaker
• 46642 Tweets
#كلاسيكو_الارض
• 41925 Tweets
Casadó
• 40566 Tweets
Bellingham
• 36537 Tweets
Pedri
• 34002 Tweets
Hansi Flick
• 32194 Tweets
Ancelotti
• 28991 Tweets
Olmo
• 27174 Tweets
Nebraska
• 23300 Tweets
الريال
• 22763 Tweets
Ohio State
• 21201 Tweets
Mendy
• 19790 Tweets
Balde
• 18544 Tweets
Camavinga
• 17980 Tweets
ليفا
• 14136 Tweets
Iñaki Peña
• 13413 Tweets
Lewy
• 11917 Tweets
Pinned Tweet
🚨 ICYMI: Bullish’s CISO Matt Presson shares how they secure their crypto exchange with
@TraceableAI
. Automated API testing, reduced manual work from weeks to hours, and boosted API visibility to protect sensitive data. Watch now!
0
0
1
-API TIP:26/31-
Looking for BOLA (IDOR) in APIs? got 401/403 errors?
AuthZ bypass tricks:
* Wrap ID with an array {“id”:111} --> {“id”:[111]}
* JSON wrap {“id”:111} --> {“id”:{“id”:111}}
* Send ID twice URL?id=<LEGIT>&id=<VICTIM>
* Send wildcard {"user_id":"*"}
#bugbountytips
3
134
280
-API TIP:3/31-
Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company?
BOLA (IDOR) is the new epidemic of API security.
As a pentester, if you understand how to exploit it, your glory is guaranteed.
#bugbountytips
1
28
58
-API TIP: 31/31-
Found a "limit" / "page" param? (e.g: /api/news?limit=100) It might be vulnerable to Layer 7 DoS. Try to send a long value (e.g: limit=999999999) and see what happens :)
#bugbountytips
1
14
49
-API TIP: 4/31-
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL?
Developers sometimes use "Kernel
#open
" function to access URLs == Game Over.
Just send a pipe as the first character and then a shell command (Command Injection by design)
#bugbountytips
2
21
48
Today, Traceable and
@InsiderPhD
are discussing how to test for vulnerabilities within your own
#APIs
– by hacking your own products.
Register now:
#APISecurity
0
17
46
Learn More About BOLA:
1
18
40
-API TIP: 13/31-
Use Mass Assignment to bypass security mechanisms.
E.g., "enter password" mechanism:
- `POST /api/rest_pass` requires old password.
- `PUT /api/update_user` is vulnerable to MA == can be used to update pass without sending the old one (For CSRF)
#bugbountytips
0
18
38
-API TIP:5/31-
Found SSRF? use it for:
- Internal port scanning
- Leverage cloud services(like 169.254.169.254)
-Use to reveal IP Address & HTTP Library
-Download a very large file (Layer 7 DoS)
-Reflective SSRF? disclose local mgmt consoles
#bugbountytips
0
15
35
-API TIP: 1/31-
Older APIs versions tend to be more vulnerable and they lack security mechanisms.
Leverage the predictable nature of REST APIs to find old versions.
Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable.
#bugbountytips
0
18
36
-API TIP: 2/31-
Never assume there’s only one way to authenticate to an API!
Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc..
Find and test all of them for AuthN problems.
#bugbountytips
0
13
34
-API TIP : 12/31-
Testing for BOLA (IDOR)?
Even if the ID is GUID or non-numeric, try to send a numeric value.
For example: "/?user_id=111" instead of "user_id=inon
@traceable
.ai"
Sometimes the AuthZ mechanism supports both and it's easier the brute force numbers.
#bugbountytips
0
12
34
Tomorrow,
@InsiderPhD
joins us for
#API
Hacking 101.
Rather than being a defender, we're going on the offensive showing how you can test your
#APIs
for vulnerabilities.
Save your spot:
0
11
34
-API TIP:19/31-
Which features do you find tend to be more vulnerable?
I'll start:
- Organization's user management
- Export to CSV/HTML/PDF
- Custom views of dashboards
- Sub user creation&management
- Object sharing (photos, posts,etc)
#bugbountytips
1
9
32
“Security is a business problem. It’s not just an IT problem. It’s not just a
#DevOps
problem. It’s an all of us problem.”
-
@AlissaKnight
, Hacker and
#CISO
She’s not wrong.
2
9
32
-API TIP:25/31-
Found an "export to PDF" feature?
There's a good chance the developers use an external library to convert HTML --> PDF behind the scenes.
Try to inject HTML elements and cause "Export Injection".
1
12
31
- API TIP: 9/31 -
Pentest for APIs? Trying to find BOLA (IDOR) vulnerabilities? IDs in the HTTP bodies/headers tend to be more vulnerable than IDs in URLs. Try to focus on them first.
#bugbountytips
#infosec
0
18
29
Today, join us for
@InsiderPhD
's
#API
Hacking Toolbox.
2pm ET / 11am PT
Register to join live or grab the recording:
0
5
29
It’s official, we have departed stealth mode! Check out our inaugural blog post from founders
@jyotibansalsf
and
@sanjaynsf
to learn how we're securing cloud-native apps and APIs with distributed tracing and machine learning.
#appsec
2
5
29
-API TIP:21/30-
Got stuck during an API pentest? Expand the attack surface!
Use , find old versions of the web-app and explore new API endpoints.
Can't use the client? scan the .js files for URLs. Some of them are API endpoints.
#bugbountytips
#infosec
0
7
24
-API TIP: 18/31-
Companies & developers tend to put more resources (including security) into the main APIs.
Always look for the most niche features that nobody uses to find interesting vulnerabilities.
"POST /api/profile/upload_christmas_voice_greeting"
#bugbountytips
#infosec
0
8
23
-API TIP: 10/31-
Exploiting BFLA (Broken Function Level Authorization)?
Leverage the predictable nature of REST to find admin API endpoints!
E.g: you saw the following API call `GET /api/v1/users/<id>`
Give it a chance and change to DELETE / POST to create/delete users.
0
14
24
-API TIP:30/31-
Got stuck during an API pentest? Expand your attack surface!
If the API has mobile clients, download old versions of the APK file to explore old/legacy functionality and discover new API endpoints.
#bugbountytips
2
5
22
-API TIP:24/31-
Got stuck during an API pentest? Expand your attack surface!
Remember: developers often disable security mechanisms in non-production environments (qa/staging/etc);
Leverage this fact to bypass AuthZ, AuthN, rate limiting & input validation.
#bugbountytips
0
6
22
-API TIP:17/31-
Mobile Certificate Pinning?
Before you start reverse engineering & patching the client app, check for both iOS & Android clients and older versions of them.
There's a decent chance that the pinning isn't enabled in one of them. Save time.
#bugbountytips
0
8
19
Learn more about Export Injection:
0
6
18
-API TIP: 6/31-
Mass Assignment is a real thing.
Modern frameworks encourage developers to use MA without understanding the security implications.
During exploitation, don't guess object's properties names, simply find a GET endpoint that returns all of them.
#bugbountytips
0
15
20
- API TIP: 8/31 -
Pentest for REST API? Give it a chance and check if the API supports SOAP also.
Change the content-type to "application/xml", add a simple XML in the request body, and see how the API handles it.
1
11
19
- API TIP: 11/31 -
The API uses Authorization header? Forget about CSRF!
If the authentication mechanism doesn't support cookies, the API is protected against CSRF by design.
#bugbountytips
#infosec
0
5
15
- API TIP: 14/31 -
Got stuck during an API pentest? Expand your attack surface! Find sub/sibling domains using & .
Some of these domains might expose the same APIs with different configurations/versions.
#bugbountytips
0
5
15
“Traceable empowers security teams and engineers to see their attack surface, to better understand the traffic through some very powerful searching capabilities ... and attribute traffic..."
- Randy Gingeleski, Senior Security Engineer,
@Bullish
2
5
15
Join our 4-part webinar series covering the
@OWASP
API Top 10. This series will be led by
@InonShkedy
, co-author of the OWASP API Top 10 and Head of Security Research at Traceable. The first episode takes place this Thursday at 10AM PT, so register now!
0
5
15
-API TIP:27/31-
BE Servers no longer responsible for protecting against XSS.
APIs don't return HTML, but JSON instead.
If API returns XSS payload? -
E.g: {"name":"In<script>alert(21)</script>on}
That's fine! The protection always needs to be on the client side
#bugbountytips
0
8
13
-Tip 7/31-
#bugbountytips
SQLi --> SSRF
Use functions to trigger HTTP calls
Oracle: UTL_HTTP.request
MSSQL: master..xp_dirtree
More info:
0
5
15
BREAKING: Traceable has raised $60 million in our Series B round...
...led by
@IVP
with participation from
@BIGLabsSF
,
@Unusual_VC
, Tiger Global Management, and several angel investors
@Kyle_L_Wiggers
has the details in
@TechCrunch
:
0
5
14
-API TIP:29/30-
APIs expose the underlying implementation of the app.
Pentesters should leverage this fact to better understand users, roles, resources & correlations between them and find cool vulnerabilities & exploits.
Always be curious about the API responses.
#bugbountytips
0
6
12
-TIP 24/31-
#bugbountytips
Where I usually find IDOR (BOLA) in apps, is in features that allow extracting data as files.
* "download_report/org_id=11"
* "my_activity_as_pdf?user_id=22"
These are often developed by different teams that don't fully understand the Authz mechanism
0
3
13
-API TIP:23/31-
Found a way to download arbitrary files from a web server?
Shift the test from black-box to white-box.
Download the source code of the app (DLL files: use IL-spy; Compiled Java - use Luyten)
Read the code and find new issues!
#bugbountytips
#bugbounty
0
10
13
- API TIP: 7/31 -
A company exposes an API for developers?
This is not the same API which is used by mobile / web application. Always test them separately.
Don't assume they implement the same security mechanisms.
0
8
12
-API TIP: 16/31-
Even if you use another web proxy, always use Burp in the background.
The guys at
@PortSwigger
are doing a really good job at helping you manage your pentest.
Use the “tree view” (free version) feature to see all API endpoints you’ve accessed.
#bugbountytips
0
3
8
-API TIP:15/31-
Static resource==photo,video,..
Web Servers(IIS, Apache) treat static resources differently when it comes to authorization.
Even if developers implemented decent authorization, there's a good chance you can access static resources of other users.
#bugbountytips
0
6
10
Want to attend
#KubeCon
, but don't have a ticket?
We've got you covered. This week, we're giving away 5 virtual passes to the cloud-native conference.
Just follow Traceable and retweet this post to enter to win.
0
7
5
This month, join
@JKowall
,
@Janakiramm
,
@WuSheng1108
, and Traceable's own
@SanjayNSF
to discuss observability in modern
#cloud
-native applications:
0
4
7
Our co-founder and CTO
@SanjayNSF
recently discussed Traceable's meteoric growth with
@Pulse2News
.
Learn what sparked Sanjay and
@JyotiBansalSF
to create the leader in
#APIsecurity
– and how we've achieved 270% growth YoY.
0
3
9
Breaking: Traceable AI meets rising need for
#APISecurity
with new compliance certification and expanded advisory board
Traceable has received our SOC 2 Type 2 compliance certification and has welcomed
@AlissaKnight
to our
#CISO
Board of Advisors
0
3
8
-TIP 26/31-
#bugbountytips
API with JWT in AuthZ header?
1. Copy JWT b64 value
2. Add new cookies - "auth_token", "jwt_token", "jwt", paste b64 as value
3. Duplicate previous API call, add cookies, remove header.
4. Works? AuthN supports cookies
5. API is 90% vulnerable to CSRF
1
2
8
What tools do hackers use to test your
#APIs
from the outside?
Next week, join
@InsiderPhD
for
#API
Testing Methodology to learn this and more:
0
2
8
Join
@JyotiBansalSF
and
@AlissaKnight
as the brightest minds in the
#cybersecurity
industry converge at
#APISecure2022
.
Explore APIs through the eyes of an attacker and learn to weaponize what you find.
Register for this groundbreaking event at
0
1
8
BREAKING: Our
#APISecurity
Testing solution is now generally available.
It enables any
#API
in pre-production to be tested for vulnerabilities, accuracy, reliability, and overall security.
Learn more:
1
3
7
"This is the golden moment for software engineering."
-
@JyotiBansalSF
Join Jyoti,
@Kuthiala
, and
@AlissaKnight
:
1
2
7
Join us for Episode II in our OWASP API Top 10 webinar series Thur Aug 27, 2020 10AM PT.
@InonShkedy
,
@owasp
API co-author & Traceable Head of Security Research will cover: Broken User Auth, Excessive Data Exposure, Broken Function Level Auth, & more!
0
6
7
"It's the best first conference ever."
-
@medjawii
, Founder Apidays
We agree! Thank you to all who attended and to
@APIdaysGlobal
and
@knightinkmedia
for working together to bring
#APISecurity
into mainstream
#cybersecurity
.
We're already looking forward to
#APISecure
2023!
0
1
7
-TIP 23/31-
#bugbountytips
API allows sending a private message?
Try to change the "receiver_id" to an array instead of a single string/int. Might be used as a way to spam the system.
0
0
7
There are two types of shadow APIs…
1️⃣ Those you don’t know exist
2️⃣ Those you know exist BUT do more than you think.
Both create risk. Our Co-Founder and CEO
@JyotiBansalSF
discusses how discovery helps you mitigate that risk.
#cybersecurity
#APISecurity
0
4
7
Effective
#APISecurity
starts with knowing what APIs you have and what they do. We're excited to take discovery to ever greater depths.
#cybersecurity
Most businesses don't have an accurate account and up-to-date inventory of their APIs.
I'm very proud to announce that
@TraceableAI
is launching its enhanced API Catalog to help businesses discover all of their APIs – known and unknown!
0
2
11
0
4
6
-Tip 18/31-
#bugbountytips
Before a pentest, I always:
1. Use Burp to catch browser traffic
2. Use the target app legitimately, trying to use all buttons, views, dashboards, etc
3. Use Burp Tree View to understand the app better
0
2
7
-API TIP:22/31-
APIs tend to leak PII by design.
BE engineers return raw JSON objects and rely on FE engineers to filter out sensitive data.
Found a sensitive resource (e.g, "receipt")? Find all the EPs that return it: "/download_receipt","/export_receipt", etc..
#bugbountytips
1
7
6
To celebrate
#BHUSA
, we're giving away $100 Amazon gift cards every day this week, Monday through Friday.
Follow
@TraceableAI
and retweet this tweet for your chance to win.
Then, catch up with the Traceable team in person at
#BlackHat
Booth EC15.
0
23
7
-Tip 25/31-
#bugbountytip
App allows uploading .zip/rar archives?
There's a good chance it's vulnerable to Zip Slip.
Put the malicious file inside a zip, edit zip using HexEditor, use directory traversal to change final dest.
* Try both 1st&2nd occurrences separately
0
1
7
Join Team Traceable at
#BlackHat
Booth 973 for a live demo of our leading
#APISecurity
, a chat with our experts to see how you can improve your API security posture...
...and, of course, a free t-shirt!
#BHUSA
#BlackHat2022
0
1
6
Welcome to the team!
I'm onto the next phase of my career. Happy to announce that I've joined the UI team at .
@traceableai
Thanks for all the support
@anandtiwary21
. Looking forward to working with you.
13
1
43
0
0
7
-Tip 9/31-
#bugbountytips
My favorite XXE --> RCE finding:
[1]XML Parser supports "gopher://" - SSRF on steroids!
[2]Java debugger running locally and supports "Telnet Debugging"🤨
[4]Read debugger doc
[5]Malicious payload uses gopher to call debugger and run raw Java code🤠
0
2
7
"Zero trust is based on the premise that location isn’t relevant and users and devices can’t be trusted until they are authenticated and authorized."
What
#ZeroTrust
is – and why it urgently needs to be extended to
#APISecurity
:
via
@JyotiBansalSF
0
6
6
Traceable's Unusual Journey
Co-Founder
@SanjayNSF
discusses the importance of building a solid team.
via
@Unusual_VC
0
1
5
185% YoY Growth! 🎉
Traceable continues to be one of the fastest-growing
#APIsecurity
platforms in the world.
(Huge thanks to our valued customers and hard-working team.)
0
3
6
Join us on Thursday and learn about:
- Mass Assignment
- Security Misconfiguration
- Injections (and why they are less common in APIs)
- Improper Assets Management
- Insufficient Logging & Monitoring
- Bonus: SSRF
0
1
6
The first and only. 👊
Today, Traceable introduces the world’s first
#ZeroTrust
API Access solution.
See how ZTAA will better protect sensitive data, stop API abuse, and align data security programs with broader innovation and business objectives:
0
5
6
-TIP 27/31-
#bugbountytips
Find detailed errors:
[1]Send array instead of primitive (age=[21] instead of age=21)
[2]Send a Unicode char in HTTP method (G✔️T)
[3] Send long Unicode string (age=✔️x100)
[4] If the API receives a URL, remove semicolon(http// instead of
http://)
0
2
6
🚨 World's First
#APISecurity
Management Conference 🚨
Register for
#APIsecure
to hear from thought leaders like:
👉
@NicolePerlroth
👉
@RinkiSethi
👉
@InonShkedy
👉
@JyotiBansalSF
👉
@AlissaKnight
0
3
6
-TIP 20/31-
#bugbountytips
B2B apps often have an "invite user to your org" feature.
1. Invite an existing user to your org
2.Learn how the API call "accept_invite" looks using a dummy user
3. Accept the invite on behalf of the victim
4. Once victim in your org - game over
0
1
6
"API security has often been a blind spot for enterprises. In fact, it’s very common to see unauthenticated APIs."
Traceable co-founder
@SanjayNSF
discusses the future of
#AI
,
#ML
, and APIs with
@CISOMag
:
0
2
6
Read our latest blog post about
#TraceAI
and
#MachineLearning
-driven
#appsec
authored by Traceable's Data Science expert Ravi Guntur and co-founder/CTO
@SanjayNSF
0
4
6
Heading to Gartner Security & Risk Management Summit?
Grab a Traceable t-shirt, enter to win a Holy Stone HS720G drone, and check out a demo – all at booth 421.
0
5
6
-Tip 8/31-
#bugbountytips
White-box Pentst?
Learn the dangerous functions of the tested language.
Java:
.NET:
PHP:
Ruby:
(Or simply Google: [language] + security best practices)
0
1
6
-TIP 14/31-
#bugbountytips
Found a SQLI? DB doesn't have interesting data?
Find tables that store website content, and leverage it to cause stored XSS.
0
0
6
The FTC is warning of legal actions for organizations that fail to secure their customer data against
#Log4Shell
.
Now is the time to protect your business – and with Traceable, you can get started today for free.
#Log4j
0
1
6
- API TIP:20/31-
Testing AuthN APIs?
If you test in production, there's a good chance that AuthN endpoints have anti brute-force protection.
Anyhow, DevOps engineers tend to disable rate limiting in non-production environments. Don't forget to test them :)
#bugbountytips
1
5
6
Microservices,
#APIs
, and cloud-native architectures have created new potential vulnerabilities.
Traceable and
@HarnessIO
CEO and Founder
@JyotiBansalSF
will explain how to close the gaps.
Register:
0
0
6
-Tip 4/31-
#bugbountytip
File Upload --> RCE
[1] Windows: Malicious file to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
[2] IIS: web-shell to C:\inetpub\wwwroot[3] Apache: web-shell to /var/www/html/
0
1
6
"We need to stop relying on 20th century technologies to fight 21st century problems.”
#Traceable
CEO and Co-Founder
@JyotiBansalSF
explains the importance of adaptive techniques like
#API
#observability
in preventing hacks like the
#UberBreach
.
0
1
6
The
#API
Reckoning is Here
Last Thursday,
#TMobile
disclosed their latest
#DataBreach
had affected 37 million customers.
And
#APIs
were the attack vector.
@ATraceableBird
discusses:
0
2
6
-TIP 13/31-
#bugbountytips
How to find detailed errors in APIs?
1. Send a string instead of a number (age=ddd)
2. Remove necessary params (e.g, send a PM and remove "receiver_name" param)
3. Break JSON structure (remove '}')
4. Remove necessary headers/cookies
0
2
6
Check out our new article and explore 31 tips on API Security & API Pentesting
==API TIPS==
To welcome the new year, we published a daily tip on API Security & API Pentesting during the month of January 2020.
Check out my new article and explore 31 tips + interesting insights about them.
#bugbountytips
3
174
385
0
1
5
-Tip 3/31-
#bugbountytips
-2nd part-
[3] download JS and look for strings like "create_user"/"register"; you might find AuthN API EPs and use them to register directly.
[4] use or to find credentials
0
0
5
Traceable founder/CEO
@JyotiBansalSF
joins CSO
@ATraceableBird
and Fraud Prevention Advisor Michael O'Connor on Sept. 15th for "Digital Fraud Prevention: Stopping Fraud Before It Happens."
Register to save your spot:
#APIsecurity
#cybersecurity
0
1
5
Join Traceable's
@SanjayNSF
,
@InonShkedy
, and Santosh Sahu to learn about the extended Berkeley Packet Filter.
✅ What eBPF is
✅ How eBPF works for observability
✅ What eBPF observability means for
#APISecurity
Register:
0
2
5
Dr. Jisheng Wang has joined us as Head of Artificial Intelligence & Machine Learning and VP of Engineering
"Our strategic move in adding Dr. Jisheng Wang to our leadership team enables Traceable to dive deeper into AI/ML."
- CEO/Co-Founder
@JyotiBansalSF
0
1
5
Our
#APISecurity
Testing offering is now generally available, enabling any
#API
in pre-production to be tested for vulnerabilities, accuracy, reliability, and overall security.
Check out
@DuncanRiley
's coverage in
@SiliconANGLE
:
0
1
5
🎟 Grab your free expo pass to
@RSAConference
next week with promo code 52ETRACEXP.
Stop by the Traceable booth for your chance to win one of two FLSUN Super Racer 3D Printers:
#RSAC
0
1
4
Few organizations have the right tools and the right people to protect
themselves from bad actors. 🥷
...And our recent research at
#RSAC2023
demonstrates that
#APIsecurity
itself is critically underprioritized.
0
1
5
-TIP 19/31-
#bugbountytips
B2B apps often have a "manage your organization" feature - fertile ground for vulns!
[1] Create 2 users belong to different orgs
[2] Login as user2 from org2
[3] Add user1 from org1 to your org
[3] Find "get/export org users" API
[4] leak user1 info
0
2
5
If you rely on WAFs to secure your applications built on APIs,
@AlissaKnight
can breach your APIs.
In fact, she may have already done so, writes
@JessicaHrdcstle
for
@SDxCentral
:
0
1
5
Connect, collaborate, and learn about
#APISecurity
and
#observability
with your peers at API Security India.
Join us on Sept. 24th for a free event with experts from:
👉
@HarnessIo
👉
@unSkript
👉
@Netskope
👉
@Easebuzz
👉
@ForcepointSec
Register:
0
0
5
DDoS API attacks focus on the server your API is running on and each endpoint of your
#API
service.
The damage a successful attack can do is extensive, so mitigation is key.
This resource provides multiple approaches to mitigation.
#cybersecurity
0
3
5
"Everything is an
#API
or soon will be."
- Upendra Mardikar, Chief Security Officer at
@MySnapFinance
0
1
4