# Improper Asset Management

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

Search for older versions

```
api.target.com/v3
/api/v2/accounts
/api/v3/accounts
/v2/accounts

Accept: version=2.0
Accept api-version=3

/api/accounts?ver=2
POST /api/accounts

{
"ver":1.0,
"user":"hapihacker"
}
```

Search for non production versions 

```
api.test.target.com
api.uat.target.com
beta.api.com
/api/private
/api/partner
/api/test
```

## IDOR

{% content-ref url="idor" %}
[idor](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/idor)
{% endcontent-ref %}

```
GET v2/user/profile?clubname=123

GET v1.0/user/profile?clubname=321 
```

## Postman

Postman Collection Runner

collection options, choose Edit, and select the Tests tab

```
pm.test("Status code is 200", function () { 
    pm.response.to.have.status(200); 
})
```

Run an unauthenticated baseline scan of the collection with the Collection Runner. Make sure that "Save Responses"

Next, use "Find and Replace" to turn the collection's current versions into a variable. Type the current version into "Find", update "Where" to the targeted collection, and update "Replace With" to a variable.

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FthjN8cYNPZtOYeokIfbF%2Fimage.png?alt=media&#x26;token=353204c5-8266-4d17-83ca-bc94c18382fe" alt=""><figcaption></figcaption></figure>

Open Postman and navigate to the environmental variables (use the eye icon located at the top right of Postman as a shortcut). Add a variable named "ver" to your Postman environment and set the initial value to "v1".&#x20;

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FWyuVJgbpxKmB7tfiLPxV%2Fimage.png?alt=media&#x26;token=f3e81214-9e3b-4da0-80c0-bb2934c05bba" alt=""><figcaption></figcaption></figure>

&#x20;Use the collection runner again and investigate the results

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\
  A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
* [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\
  This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)