Finding Your First Bug: Reading JSON and XML for Information Disclosure

In this video we cover how to read JSON and XML specifically to find information disclosure vulnerabilities. We cover how to approach a target when a URL returns JSON or XML, how to know if you've found an info disclosure - and how to exploit it! I want to really demystify JSON/XML and make you feel more at ease with how JSON/XML works and how you can read it. We also cover other vulnerabilities that might exist when a URL returns JSON or XML. Did you know this episode was sponsored by Intigriti? Sign up with my link http://go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome! Further reading: JSON Formatter: https://jsonformatter.org JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions: https://hackerone.com/reports/509924 An invite-only's program submission state is accessible to users no longer part of the program: https://hackerone.com/reports/800109 latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users: https://hackerone.com/reports/724944 Team member with Program permission only can escalate to Admin permission: https://hackerone.com/reports/605720