make a proxy for your iphone that blocks ads from youtube and spotify bonus points if you get vrv and crunchyroll. ive tried and fiddled around with similar mitm sniffing but gave up too early cuz never read any documentation or bothered to learn the fundamentals of networking
How to predict api result of live running website which has timestamp Its result is updating every 3 mins Can i have the result before the actual result time..?
API protection schemes aren't all that different from developer to developer since most APIs tend to follow a similar format when it comes to security: 1. The authorization token _(be it OAuth2, JWT, Spring, Keycloak, Passport, or Auth0)_ will likely contain information regarding what sort of access you have to the API itself. So for instance if you don't have permissions to access a certain endpoint then the resulting response can simply be an HTTP 401 _(Unauthorized)_ or even an HTTP 403 _(Forbidden)_ . *Note:* the difference between an HTTP 401 and HTTP 403 is that the HTTP 401 error is for when you provide invalid or no credentials. The HTTP 403 error is for when you lack the privileges to access the specified resource _(API endpoint in this case)_ . 2. The API server might have a rate limiter set up to limit the number of concurrent requests sent to any API endpoint within a set amount of time. This is used to prevent a single connected user from spamming the API server which uses up too many system resources for the server in question. A server that's set up to be publicly accessible will most likely have documentation on the rate limiter _(the size of the request buckets, the rate at which the request buckets are emptied, what response headers are sent whenever you are rate limited, the different types of rate limits, etc...)_ . Typically whenever we think about reverse-engineering APIs we are more-or-less thinking about something called *"fuzzing"* which can be defined as _an automated process that injects invalid, malformed, or unexpected inputs into a system to reveal defects and vulnerabilities_ . For instance if we know the URI formatting for the API server then we can simply try to find undocumented API endpoints based on common names for said endpoints. The thing about API developers taking inspiration from one-another is that sometimes they'll use similarly named endpoints for certain actions such as token invalidation, database searching, creating and deleting data, etc... If the developers didn't expect for you to find those undocumented API endpoints then maybe they also forgot to give them the same level of scrutiny when it comes to securing them versus their documented or public API endpoints. My apologies for going so deep into this topic, I am somewhat passionate about web exploitation and semantics. Good video though because it appears that so many mobile app developers don't tend to consider that a MITM could be able to intercept and manipulate API calls to exploit vulnerabilities and a ton of developers could benefit from learning this and applying it to their development process.
API is like a bridge linking one point to another using a specific language query that it understands which is in the server of the provider stored for the client on client server
Luckily it was this easy for this app, some apps implement certificate pinning, so even after you install your own certificate it just ignores it and doesnt accept the mitm requests.
One more note: what you demonstrated would work if someone steals your phone, installs mitmproxy on it, and starts using the application in question. This will definitely expose how to API works - all its endpoints, payload structure, tokens, and perhaps some integrations with other APIs. However, if the API is designed correctly, you would only be able to get the data this one client is allowed to see (aka, the user whose phone was stolen, assuming he/she only has one app account). Of course, much of the data the API provides could be shared, in which case one user could potentially get access to 90% or more of the data, e.g. an e-commerce catalog that was considered "private" with respect to the membership implied by this app.
Big companies that private their APIs are indeed annoying, but let's not generalize this Remember that when you take stuff from an API you're not supposed to have access to, you're essentially using the money and resources of the company behind it, without giving them anything in return. So let's avoid doing that to small companies & devs
Yes that's what he did, what he doesn't know is that token expires and without the ability to reverse engineer how that access token is generated he will have to do the same thing again once it does. The token is probably generated using a random string algorithm which is damn near impossible to predict. These types of web tokens don't carry any information like the olden days of the JWT tokens did. Their api is safe for another day. Can't decode it cause there's no hash so nothing to decode. What he needs is the mathematical algorithm they used to generate the token to begin with, that's what they are keeping safe. It's even harder to do with a login version since that token would be tied to your credentials in /their/ db.
@@crysiscontained4421 JWT tokens still do and will always carry public information... and the whole purpose of the JWT is for the API to be stateless so the token doesnt need to be stored on any DB. Some implementations do save the tokens tho but its not recommended, there are other ways to go around that problem.
Hey dude, good job with the video. You can also use the proxy to find out the endpoint used by your phone in order to get the access token, so you are going to be able to log in from your computer and get new access tokens ( Because they probably have a TTL). Another tip is to check if the app has also a website because if they have they are probably using the same private API, so u don't even need to proxy your phone.
hmm..not really hacking if using the public request string with a valid user token.... get restricted user data from other user without token would be hacking...
Auth calls don't carry any information, it's just a GET request with a couple headers and a cookie gen client-side, and oauth is a lot longer than that usually. I have used an oauth token for over 24 hours on most sites, shortest I have seen is 6 hours. token gens are done completely server-side and don't get sent over HTTP/S requests.
@@crysiscontained4421 What he is trying to say is that you can intercept oauth refresh token which is commonly used to generate new access tokens. And when you say "token gens" you're referring to the private key. Private keys may not get sent over http but refresh tokens and access tokens surely do.
So guys if you don't understand what he actually did is he intercepted his request from phone app into the his pc using mitmproxy and then he used access_token value to get the results without using the app and he got succeeded
@@brimmed use android, root it, install xposed framework, install SSLUnpinning module, now with SSlunpinning module you can select witch app u want to unpin. note: on well made apps like instagram or facebook this method doesen't work, in this case you need to sear a modded apk
Security (access codes) are often not important from an ISV's point of view. APIs are often "private" not because of any security concern but so that the ISV can change THEIR OWN APIs without needing backward compatibility and so on. They're not private for commercial reasons but technical ones. So, of course, if you write your app against private APIs then don't complain if they break in the next version. Public APIs require far greater support. By all means use private APIs, but why not also contact the ISV and ask them to make their API public? Or even (here's an idea) pay them to use their software, in the form of a support contract...
Let me get this straight: Security is a HUGE concern, but in your example, you ALREADY HAD THE ACCESS CODES, you ALREADY HAD THE KEY. So, that is entirely irrelevant that the API uses that key.... what you were arguing is to make private APIs public, and implying that they are private as some kind of security-through-obscurity, when that is not really the intent most of the time. As soon as you publish an API you have all sorts of forward and backward compatibility problems that are mitigated by having private, unsupported APIs. If you want the API to be supported, pay to support it.
Can anyone here help me identify my ex-girlfriend as my cyberstalker so I can put a stop the constant harassment??? She works in law enforcement and is abusing the resources available to her to harassment and anyone connected to me. This has been going on for 4 years now... PLEASE HELP ME BRING HER DOWN! I have no problem paying a fair price $$$ for SOLUTION BASED help!
@@mikechickenman Exactly, it is absurd to me people watch this and be impressed. This dude already has access to the API, he even has an api key to use. He just gained control over something he already had control over, how impressive lol.
Hey Chris, Thanks for making this video. I don't know much about api but I think this can help me with a project I'm working on. Good luck with your channel.
+Govind Prasanth thanks brother, and I know. Just open source the API and people will work on it and make it better for FREE! I don’t get it. It’s greedy
Is it posibble to manipulate request in middle? For example, think of an app, there is an integration of another app within it. Even if that integration in the other app receives the data from the main app, can the data be changed and sent before going to the servers of the integration app?
Heads up: Newest ios version needs you to go to "general", "info", "certificats... -settings" -> enable mitmproxy, as otherwise its only installed but not enabled! Otherwise (at least for me in 2024) your iphone wont be able to connect to the internet.
You'll get the same result with oauth the token itself is not important. the token expires, the gen method is what is important he talks about hashing but web tokens aren't hashed anymore as they carry no data. What he is likely referring to is the old JWT tokens which were hashed because they carried important info in them these new tokens use a random string gen so you can't decode them, you need the algorithm that was used to generate them. in fact you don't even need to do a MITM attack to get your token just open the developer inspect tool on your browser go to application tab and click on cookie, your auth token is in there
3:24 how you get the access token without the credentials. Are you using Postman for the POST req? 5:09 like I’m confused on how you got the access token, this is like magic. Like how Sway???
I thought that it's pretty standart that you think someone will try to use your API's. That's why you put a rate limit per authenticated users. Son a single user gets only x amount of request where they can't serve the API to 100s of people.
bro i want api of a web based parser called a-parser coz i develop one my own but it has cloudflare is that matter , that the website has cloudflare with this method?? thanksss
This guy is a Noob. You could simply use a short expiry time and that key becomes useless. If these guys wanted to protect their api he couldnt have seen that key unless he logged in.
@@khalifarmili1256 so users have to log in every minute with your short expiry time? who wants to use an app that constantly wants you to log back in all the time dude
I have a doubt. I use a website and I know their http requests and response. Anyone can access their site. Can I use the requests in my app without telling them or just provide credits to their website?
but only debug app and web will be intercepted, when i open random apk what i've install from play store then mitm proxy doesn't work to intercept the request and the app return error ssl bla bla bla(ca-certificate had been installed), or infinite loading
thxxx it's amazing, but why do keep telling us not to try it, is it illegal ? i need to make an app that uses some banks data but their apis are private, is it legal or not to get them like this because i don't wanna get in troubles honestly
yes I did. you have to download the chrome pluging. I actualy dont remember how it works. I did that a long time ago. But what i can say is that i had a hard time with that because they dont have the tutorials on their site updated but you can also find tutorials from other ppl in the web. Once you do it once, it will look easyer to repeat.
What other projects do you guys want to see made?
Reverse a roblox exploit api and dm the api in discord C;#5561 its calls synapse the website x.synapse.to
make a proxy for your iphone that blocks ads from youtube and spotify bonus points if you get vrv and crunchyroll. ive tried and fiddled around with similar mitm sniffing but gave up too early cuz never read any documentation or bothered to learn the fundamentals of networking
bro you have twitter account?
How to predict api result of live running website which has timestamp
Its result is updating every 3 mins
Can i have the result before the actual result time..?
Will you do an app that requires login credentials to access the app and a passcode to perform an action? No 2FA.
API protection schemes aren't all that different from developer to developer since most APIs tend to follow a similar format when it comes to security:
1. The authorization token _(be it OAuth2, JWT, Spring, Keycloak, Passport, or Auth0)_ will likely contain information regarding what sort of access you have to the API itself. So for instance if you don't have permissions to access a certain endpoint then the resulting response can simply be an HTTP 401 _(Unauthorized)_ or even an HTTP 403 _(Forbidden)_ .
*Note:* the difference between an HTTP 401 and HTTP 403 is that the HTTP 401 error is for when you provide invalid or no credentials. The HTTP 403 error is for when you lack the privileges to access the specified resource _(API endpoint in this case)_ .
2. The API server might have a rate limiter set up to limit the number of concurrent requests sent to any API endpoint within a set amount of time. This is used to prevent a single connected user from spamming the API server which uses up too many system resources for the server in question. A server that's set up to be publicly accessible will most likely have documentation on the rate limiter _(the size of the request buckets, the rate at which the request buckets are emptied, what response headers are sent whenever you are rate limited, the different types of rate limits, etc...)_ .
Typically whenever we think about reverse-engineering APIs we are more-or-less thinking about something called *"fuzzing"* which can be defined as _an automated process that injects invalid, malformed, or unexpected inputs into a system to reveal defects and vulnerabilities_ . For instance if we know the URI formatting for the API server then we can simply try to find undocumented API endpoints based on common names for said endpoints.
The thing about API developers taking inspiration from one-another is that sometimes they'll use similarly named endpoints for certain actions such as token invalidation, database searching, creating and deleting data, etc...
If the developers didn't expect for you to find those undocumented API endpoints then maybe they also forgot to give them the same level of scrutiny when it comes to securing them versus their documented or public API endpoints.
My apologies for going so deep into this topic, I am somewhat passionate about web exploitation and semantics. Good video though because it appears that so many mobile app developers don't tend to consider that a MITM could be able to intercept and manipulate API calls to exploit vulnerabilities and a ton of developers could benefit from learning this and applying it to their development process.
The first time that I wanted a comment to be longer, thank you it‘s such a concise and useful read. Where are you learning from or do you teach?
this guy knows his stuff.
thank you for your comment
API is like a bridge linking one point to another using a specific language query that it understands which is in the server of the provider stored for the client on client server
liked & subscribed
It's such a rush when you gain access to things like this, great work. Think I'm going to have a lot of fun with mitmproxy. Subscribed.
+Cyris Cloete thanks brother!
Luckily it was this easy for this app, some apps implement certificate pinning, so even after you install your own certificate it just ignores it and doesnt accept the mitm requests.
One more note: what you demonstrated would work if someone steals your phone, installs mitmproxy on it, and starts using the application in question. This will definitely expose how to API works - all its endpoints, payload structure, tokens, and perhaps some integrations with other APIs. However, if the API is designed correctly, you would only be able to get the data this one client is allowed to see (aka, the user whose phone was stolen, assuming he/she only has one app account). Of course, much of the data the API provides could be shared, in which case one user could potentially get access to 90% or more of the data, e.g. an e-commerce catalog that was considered "private" with respect to the membership implied by this app.
Big companies that private their APIs are indeed annoying, but let's not generalize this
Remember that when you take stuff from an API you're not supposed to have access to, you're essentially using the money and resources of the company behind it, without giving them anything in return.
So let's avoid doing that to small companies & devs
So what you actually did was get JSON response with the data you already have in your phone?
Yes that's what he did, what he doesn't know is that token expires and without the ability to reverse engineer how that access token is generated he will have to do the same thing again once it does. The token is probably generated using a random string algorithm which is damn near impossible to predict. These types of web tokens don't carry any information like the olden days of the JWT tokens did. Their api is safe for another day. Can't decode it cause there's no hash so nothing to decode. What he needs is the mathematical algorithm they used to generate the token to begin with, that's what they are keeping safe. It's even harder to do with a login version since that token would be tied to your credentials in /their/ db.
@@crysiscontained4421 JWT tokens still do and will always carry public information... and the whole purpose of the JWT is for the API to be stateless so the token doesnt need to be stored on any DB. Some implementations do save the tokens tho but its not recommended, there are other ways to go around that problem.
Hey dude, good job with the video. You can also use the proxy to find out the endpoint used by your phone in order to get the access token, so you are going to be able to log in from your computer and get new access tokens ( Because they probably have a TTL). Another tip is to check if the app has also a website because if they have they are probably using the same private API, so u don't even need to proxy your phone.
hmm..not really hacking if using the public request string with a valid user token.... get restricted user data from other user without token would be hacking...
exactly
Intercept the authentication call to be able to generate tokens. In oauth2 a token is usually valid around 2 min depending on what was set by admins
Auth calls don't carry any information, it's just a GET request with a couple headers and a cookie gen client-side, and oauth is a lot longer than that usually. I have used an oauth token for over 24 hours on most sites, shortest I have seen is 6 hours. token gens are done completely server-side and don't get sent over HTTP/S requests.
@@crysiscontained4421 What he is trying to say is that you can intercept oauth refresh token which is commonly used to generate new access tokens. And when you say "token gens" you're referring to the private key. Private keys may not get sent over http but refresh tokens and access tokens surely do.
So guys if you don't understand what he actually did is he intercepted his request from phone app into the his pc using mitmproxy and then he used access_token value to get the results without using the app and he got succeeded
Dang bruh, if you want that data you gotta go out and get it, loved the vid. Just getting into trying to reverse engineer some APIs
Next video: Bypass ssl pinning.
is that possible? i've been playing around with man in the middle for last few months and ran into this issue with ssl pinning the other day
@@brimmed Yes, Frida + hooking to specific functions.
Ssl kill switch 2
@@brimmed use android, root it, install xposed framework, install SSLUnpinning module, now with SSlunpinning module you can select witch app u want to unpin.
note: on well made apps like instagram or facebook this method doesen't work, in this case you need to sear a modded apk
@@obywonimaccheroni-5750 can I do this with an emulator or need an actual device
I totally agree, these api should have been open source to the public.
first time seeing you, good luck bro , dont stop, subs done
Nice video. This really got me thinking about my api😂
Security (access codes) are often not important from an ISV's point of view. APIs are often "private" not because of any security concern but so that the ISV can change THEIR OWN APIs without needing backward compatibility and so on. They're not private for commercial reasons but technical ones. So, of course, if you write your app against private APIs then don't complain if they break in the next version. Public APIs require far greater support. By all means use private APIs, but why not also contact the ISV and ask them to make their API public? Or even (here's an idea) pay them to use their software, in the form of a support contract...
Let me get this straight: Security is a HUGE concern, but in your example, you ALREADY HAD THE ACCESS CODES, you ALREADY HAD THE KEY. So, that is entirely irrelevant that the API uses that key.... what you were arguing is to make private APIs public, and implying that they are private as some kind of security-through-obscurity, when that is not really the intent most of the time. As soon as you publish an API you have all sorts of forward and backward compatibility problems that are mitigated by having private, unsupported APIs. If you want the API to be supported, pay to support it.
Can anyone here help me identify my ex-girlfriend as my cyberstalker so I can put a stop the constant harassment??? She works in law enforcement and is abusing the resources available to her to harassment and anyone connected to me. This has been going on for 4 years now... PLEASE HELP ME BRING HER DOWN! I have no problem paying a fair price $$$ for SOLUTION BASED help!
@@mikechickenman Exactly, it is absurd to me people watch this and be impressed. This dude already has access to the API, he even has an api key to use. He just gained control over something he already had control over, how impressive lol.
it isn't an issue, it's normal behavior of API's. The problem would exists if You could access resources, which weren't destined to You.
Bit lame without figuring out the hashing
The reason they are private is to release stress on the api's..
Hey Chris, Thanks for making this video. I don't know much about api but I think this can help me with a project I'm working on. Good luck with your channel.
///.####&64%//3nkwwww
nah bro chill not trying at my home,instead at my friend!
WIth these looks, you should be an actor, man :). But seriously, thanks for the video. Thumbs up of course.
This is amazing! Companies really need to start caring about their APIs
+Govind Prasanth thanks brother, and I know. Just open source the API and people will work on it and make it better for FREE! I don’t get it. It’s greedy
F12 ... Companies steal all the time.
this is why you use cors
Is it posibble to manipulate request in middle? For example, think of an app, there is an integration of another app within it. Even if that integration in the other app receives the data from the main app, can the data be changed and sent before going to the servers of the integration app?
Following this in 2024, on my iPhone the "Profile" where you install the mitmproxy has been relocated to the VPN & Device Management.
Heads up: Newest ios version needs you to go to "general", "info", "certificats... -settings" -> enable mitmproxy, as otherwise its only installed but not enabled! Otherwise (at least for me in 2024) your iphone wont be able to connect to the internet.
I'm just gonna pretend I understood
@Paul : I know this is a little late but I'd suggest looking at ruclips.net/video/BxV14h0kFs0/видео.html by Tom Scott
so basically, this is not hacking
This is reverse engineering .
As a result, do u recommend to developers to secure the api with Oauth2 ?
You'll get the same result with oauth the token itself is not important. the token expires, the gen method is what is important he talks about hashing but web tokens aren't hashed anymore as they carry no data. What he is likely referring to is the old JWT tokens which were hashed because they carried important info in them these new tokens use a random string gen so you can't decode them, you need the algorithm that was used to generate them. in fact you don't even need to do a MITM attack to get your token just open the developer inspect tool on your browser go to application tab and click on cookie, your auth token is in there
3:24 how you get the access token without the credentials. Are you using Postman for the POST req? 5:09 like I’m confused on how you got the access token, this is like magic. Like how Sway???
For that only he had created a proxy...which logs all the data flowing through it.
he pulled a devon crawford
Think I need to watch this a few times to follow what you did. Very interesting.
Drone Kings in Darwin thanks for the comment brother!
brother why did you stop posting videos? Does anyone have his social media? urgent !!! does anyone know how to find api?
I thought that it's pretty standart that you think someone will try to use your API's. That's why you put a rate limit per authenticated users. Son a single user gets only x amount of request where they can't serve the API to 100s of people.
Can you make a tutorial about API for beginners 🙏🏾
Holy crap I was looking for a way to find the person that hacked my gmail and i find this gem for my personal project
bro i want api of a web based parser called a-parser coz i develop one my own but it has cloudflare is that matter , that the website has cloudflare with this method?? thanksss
Thanks Chris..you blew me away with this video. Please I need to see another video on Hacking DNS and cloud servers
hello what did you use to send the request at minute 5:33 did you use burpsuite?
That was great.. How much per hour for a personal tutoring?
Wonderful video, man
Can you another video explaining more about this installation
There's a medium post
did you put eye liner and mascara to your eyes?
Well done.. I was wondering how my coder was doing it. WE are using the exact process to set up a multiple API. Well done breaking it down!
This guy is a Noob. You could simply use a short expiry time and that key becomes useless. If these guys wanted to protect their api he couldnt have seen that key unless he logged in.
@@khalifarmili1256 so users have to log in every minute with your short expiry time? who wants to use an app that constantly wants you to log back in all the time dude
such a clean and top notch video ! earn my sub in the first 10 sec , thanks for sharing dude
I don't even know how i manage to understand all that.
it's impossible to do that on Android phones so companies are not worried so much but of course, there is a certain ways to hack them
Funny and naive
@@LiEnby Yep you're right. I was naive at that time and actually it's fairly easy to do on android
Man in the Middle 101
Cool coordinates.
Superb 👍 . The way you explained the stuff was very easy to understand. Keep it up bro 👍 👍 👍
terrible idea not scrubbing that geo location data
I have a doubt. I use a website and I know their http requests and response. Anyone can access their site. Can I use the requests in my app without telling them or just provide credits to their website?
How would you generate fake api Key when you already have a demo Key? is It posible to reverse Engineer a Key?
You straight look like Jesse Williams lmao. Besides that, nice job very interesting video!
Great video 🤘🔥🔥🔥
but only debug app and web will be intercepted, when i open random apk what i've install from play store then mitm proxy doesn't work to intercept the request and the app return error ssl bla bla bla(ca-certificate had been installed), or infinite loading
you need to bypass ssl pining
thxxx it's amazing, but why do keep telling us not to try it, is it illegal ? i need to make an app that uses some banks data but their apis are private, is it legal or not to get them like this because i don't wanna get in troubles honestly
pretty sure its illegal
Can you use this method to post data to their server?
How to protect own api on server from apps like packet tracers on android.
My users catches data and make from postman.
Any help on this
Thanks so much! This was a really, really, really big help!
Uh didn't you dox yourself on this one? I'm seeing coords that lead to a house. Might wanna look into that.
Well looks like i won't be using rest API's lol... what about gRPC? is that easy to hack?
Careful, 5:20 is you coordinates..
Did I miss something? Why are you using your phone. What aren't you using your PC to do this?
Because the app runs on his phone.
@@LiEnby Yes, but the website is an app also.
@@didyouknowamazingfacts2790 Maybe the app doesn't have a website?
bruh u killed this video i had to rewatch video too lit !!
you could do that with post man also. it have a tool for reverse engeneer an api
did you manage to get it to work?
yes I did. you have to download the chrome pluging. I actualy dont remember how it works. I did that a long time ago. But what i can say is that i had a hard time with that because they dont have the tutorials on their site updated but you can also find tutorials from other ppl in the web. Once you do it once, it will look easyer to repeat.
Scrapping pls. Now big companies are investing on anti-scrapping methods
Respect the hustle
Hey, I'm not able to capture https requests.
Do it for Leetcode
Only 1.1k subscribers? You need more bro
pretty cool, engaging work. thumbs up!
what a shame they are not using ssl pinning
Literally pointless 😭
this is not exactly private, a private api should have a signature then you would need to work on their algo, which requires reversing their app. lol
Awesome video!
do you put eyeliner
Is it possible to hack firebase database ?
Can we delete or change all firebase data of a android application
now dan im not deletd folow mw
This is basically Session hijacking right?!!!
if the api key expires in a given time (session) then yes but otherwise not really it's just bad programming by the company lol
Thank's chriscodes
keep up the good work ^_^
+Malik Dernawi thanks brother!
u could have just used burp
I actually prefer this
that was awesome!!!
Api means fire in indonesia
How can I connect with you bro
Can you this for Snapchat app?
hi dear can you do reverse engineering api tiktok i will pay you
NICE
Great video :)
how can contact with YOU
Can't you just use chrome to intercept?
Umm, on a mobile app?
Wtf you look like the android from Detroit become human
BRO THANK YOU
no like actually thank you
legend
Hack a bank app
Reverse engineer an android app.
Yeh
What's the benefit?
This is quite simple depending on what you want to do.
Can I hack ROBLOX accounts using thisv
You look like John Cena
Use burosuite
Mac os is super good as compared window 🔥🔥🔥