Search

Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different ‘pages’, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly....

urlscan.io is a free and paid tool that is used to scan and analyse URLs. The tool is often used by Security Analysts and employees working in a SOC. It is also available as an integration add-on in several popular security toolings such as Splunk SOAR and Cortex XSOAR. This post will be focusing on the Search functionality in urlscan.io and how it can be abused to extract sensitive content due to tooling misconfigurations or accidental information leakage....