Been in the coding game for the past 20 years and made a lot of mistakes and had my successes. But, what I don’t understand at all, is, who on Earth would code a Web-API and include direct file access like this, basically creating a reverse shell? (more or less). Do we really have such a significant amount of software out there, featuring this kind of flaw?
Yes, the main point is the methodology rather than the vulnerability. But, you'd be surprised, I've seen quite a few simple vulns like this in the past when carrying out pentests (granted, usually before the application is released - it's less likely you'll find this in the wild or during BB)
@@offsecprep a channel showing packet and pentesting of libre apps would be great and you sound like you could do it! To get started a unique and hugely popular video idea would be on hash /checksum app verification ON Android, FOR Android? Hash Droid is the only way I know of and I'm still not sure how to use it often (auto runs, zipped files, playstore vs Foxydroid or neostore) NOBODY has done this and it seems like THE most important thing to do!?...lots of.powershell vids on it but not everyone uses windows....also, is a chromebook really more secure than Linux as one tech (not cyber security) guy claims? He said cyber pros told him to use it or Linux in a virtual machine in windows
IF THE LFI DIDNT WORK ON "ID param" could work on "author param" ? ( like the vulnb could work depend on the param right? ) or it also works on the other params?
![[Industry Webinar] Raspberry Pi CM4: Leveraging IoT in Medical Device Integration](http://i.ytimg.com/vi/foNu3B_R1FM/mqdefault.jpg)
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
Oh wow! This is amazing and so quick. Thank you Alex, Heath and TCM!
(2:02, 5:21) Lab and Fuzz Parameter
(7:40) Wfuzz filter out 404
(11:33, 11:51) Wfuzz
Never knew about this up until now. Good job bro.
Thank you
Thanks for the content, really important and precise. TCM courses helped me a lot in my cybersec journey!
Much needed video 🤠📸
That was super informative. Thanks for thorough explanation.
Interesting video man thanks for your contribution
Thanks for this videos, I just begin in the API pentest wave, and Its very interesting.
Super good! Thank you!
Thanks for sharing this.
Great tutorial mate .Thanks
Been in the coding game for the past 20 years and made a lot of mistakes and had my successes. But, what I don’t understand at all, is, who on Earth would code a Web-API and include direct file access like this, basically creating a reverse shell? (more or less). Do we really have such a significant amount of software out there, featuring this kind of flaw?
Yes, the main point is the methodology rather than the vulnerability. But, you'd be surprised, I've seen quite a few simple vulns like this in the past when carrying out pentests (granted, usually before the application is released - it's less likely you'll find this in the wild or during BB)
@@offsecprep a channel showing packet and pentesting of libre apps would be great and you sound like you could do it! To get started a unique and hugely popular video idea would be on hash /checksum app verification ON Android, FOR Android? Hash Droid is the only way I know of and I'm still not sure how to use it often (auto runs, zipped files, playstore vs Foxydroid or neostore) NOBODY has done this and it seems like THE most important thing to do!?...lots of.powershell vids on it but not everyone uses windows....also, is a chromebook really more secure than Linux as one tech (not cyber security) guy claims? He said cyber pros told him to use it or Linux in a virtual machine in windows
useful explanation - thank you!
Great stuff
Nice video, sir, and thanks for sharing this valuable content with us.
please share moore videos about api enemuration and pentetst, with just basics
Great Content ...
IF THE LFI DIDNT WORK ON "ID param" could work on "author param" ? ( like the vulnb could work depend on the param right? ) or it also works on the other params?
how can i get api dictionary
how can i get the World list you used in this video
I have the same chair, I was expecting more confort.
api endpoint give 404 error then what i do,
can anyone give me same tips?
I need wordlist txt
!!
1st comment 😁
:)
4th comment 😀
your volume is too low
🫡