I just downloaded the linux docker for GU and I was able to find the users/1,2,3 on my own before watching any of this. Of course, i'm glad this exists as an explanation of what can be found. Thanks Katie.
16:00 should most definitely be considered information disclosure. Even if emails are considered public, the full name associated is returned, and other internal information is exposed which can further future attacks. No reason for ID, verified status, or creation time should be returned, even if you consider name and email public. These values can be used to further future attacks; for example, a lot of password functionalities compute reset strings based on epoch time of registration concatenated with ID, maybe a substring of PW hash, then hashed. Knowing this info can reduce the entrophy. Exposing the IDs which are often used as unique identifiers, can also aid in targeted broken access control attacks, such as pulling someones specific details down with a unique identifier which otherwise wouldnt be known by the attacker.
Your content is reaaaally great, I enjoy a lot learning from you it's so instructive. Looking forward to find my first bug with all this great help ! Thanks from Belgium !
You can definitely use postman! I focus on doing things with as little tooling as possible in videos to show that you can get comfortable with something before trying a new tool. I personally don’t use postman a ton but I do use it! It’s really useful as it’s more purpose built for interacting with APIs but Burp works great with APIs, it’s certainly not a necessity
Endpoint just means URL that does something, so youtube.com/watch doesn't do anything so it's not an endpoint but add the video ID and you're taken to the video page, that is an endpoint because it does something
GraphQL works really differently to RESTful APIs but it's really just the syntax, the bugs are all the same, I'm working on a video right now for GraphQL :)
Katie, you mentioned one way to find APIs is to manually walk through the app, pressing every button and link. How is this different or better than doing a scan against the root of the application?
It’s not really ! But RESTful APIs can be really difficult to enumerate since you need the correct words in your word list, and they can be really target specific. Check out TomNomNoms recent talk from NahamCon about them for more info!
So I found an api , and found a root user with its apikey. And in their website they explain we can access the api with /api/v1/submit/. I substitute the but I get a status: unauthorized. Any suggestions of what’s going on here ? (I can’t seem to log in to any user )
Is it viable to spider out a list of subdomains with gospider/waybackurls and then grep the file for any line that contains /api/? Or are you likely to miss things by doing that
Definitely an option, for this particular API it would be quite difficult to create a custom word list as not much of the API is exposed via source files
Same for me. Using "PUT /api/grades/1 " with content type set to application/json and new grade in the body - update doesnt work, grade stays the same with a 200 response. Any ideas?
i tested a complete API collection after learning from you.
I just downloaded the linux docker for GU and I was able to find the users/1,2,3 on my own before watching any of this. Of course, i'm glad this exists as an explanation of what can be found. Thanks Katie.
Very appreciable content Katie. Please keep making these . Best wishes.
Thank you! Will do! I'm hoping to do some more live sessions but they require a lot of prep work so soon I promise!
16:00 should most definitely be considered information disclosure. Even if emails are considered public, the full name associated is returned, and other internal information is exposed which can further future attacks.
No reason for ID, verified status, or creation time should be returned, even if you consider name and email public. These values can be used to further future attacks; for example, a lot of password functionalities compute reset strings based on epoch time of registration concatenated with ID, maybe a substring of PW hash, then hashed. Knowing this info can reduce the entrophy. Exposing the IDs which are often used as unique identifiers, can also aid in targeted broken access control attacks, such as pulling someones specific details down with a unique identifier which otherwise wouldnt be known by the attacker.
Your content is reaaaally great, I enjoy a lot learning from you it's so instructive. Looking forward to find my first bug with all this great help ! Thanks from Belgium !
Fantastic content as always! Very informative and well presented. Keep up the wonderful work.
Loved the Live Interactive Demo. Please, more of these! I joined Intigriti and I just bought you a coffee!!!!
Thank you for watching, interacting and donating ❤️ have fun with Intigriti! I’m definitely going to do some more of these!
You are awesome Katie. This video helped me so much in understanding api. Thank you for all your hard work.
Great content, congratulations!
I just want to say your voice is so soothing
awesome tutorial! I learnt so much!! thank you
This is top tier content
Always cool and fresh ! thank you for this amazing content
Awesome Explanation ❤
Fantastic video ever i have seen, great work 😉😉
So this API looks pretty simple... How about APIs that are behind 2FA and proper IDPs like Google Auth?
thanks, I have been waiting for this
Content like this is worth paying internet. Thanks !
Aww, that's so kind of you, thank you!
We’re doing it live! 😂😂 Cyber mentor recommended you and he was right, you’re awesome!
hehe..the cyber mentor is Awesome too!
thanks Katie for this demo! for hacking APIs do you also use Postman to interact with an API? or again Burp is there to rule 'em all?
You can definitely use postman! I focus on doing things with as little tooling as possible in videos to show that you can get comfortable with something before trying a new tool. I personally don’t use postman a ton but I do use it! It’s really useful as it’s more purpose built for interacting with APIs but Burp works great with APIs, it’s certainly not a necessity
Hi, great live video to see it in practice! What does endpoint mean?
Endpoint just means URL that does something, so youtube.com/watch doesn't do anything so it's not an endpoint but add the video ID and you're taken to the video page, that is an endpoint because it does something
Thank you very much
Excellent content. Could be great if at the end you could provide more further reading.
Good idea! This piece of software is entirely my own work but a good place to learn API security is apisecurity.io
Awesome video!
Very good content and i started bug bounty by watching your videos. Can you tell me how will it be if the api is using graphql?
GraphQL works really differently to RESTful APIs but it's really just the syntax, the bugs are all the same, I'm working on a video right now for GraphQL :)
How did you set up the lab
Katie, you mentioned one way to find APIs is to manually walk through the app, pressing every button and link. How is this different or better than doing a scan against the root of the application?
It’s not really ! But RESTful APIs can be really difficult to enumerate since you need the correct words in your word list, and they can be really target specific. Check out TomNomNoms recent talk from NahamCon about them for more info!
Awesome content.
(17:07) - Where do you see roleid in the jason output?
(20:55) - Edit
So I found an api , and found a root user with its apikey. And in their website they explain we can access the api with /api/v1/submit/. I substitute the but I get a status: unauthorized. Any suggestions of what’s going on here ? (I can’t seem to log in to any user )
Is it viable to spider out a list of subdomains with gospider/waybackurls and then grep the file for any line that contains /api/? Or are you likely to miss things by doing that
That would definitely work, this is actually I'm going to be covering soon on the channel, particularly how to get the most out of subdomain enum.
Well done! :)
thanks man so so so so much
Maybe due to live video and asking the audiences Question. I feel bored watching the pre record 😂
Nobody:
RUclips: HACK APIS
Thanks Katti3
I ended up sleeping through my alarm but would robots.txt be a good one to add to the list?
Yeah for sure, you can see SecLists for a list of common API endpoints (I didn’t due to time+usefulness constraints on this application)
10:44 what about using CeWL to generate a custom wordlist?
Definitely an option, for this particular API it would be quite difficult to create a custom word list as not much of the API is exposed via source files
@@InsiderPhD Thank you!
very helpfull
Awesome
unable to perform edit response is same even after I perform edit
Same for me. Using "PUT /api/grades/1 " with content type set to application/json and new grade in the body - update doesnt work, grade stays the same with a 200 response. Any ideas?
do you have video, how install this vuln local php app?
Not yet, but I'm working on something at the moment :D
@@InsiderPhD ок, Katie, and how many times, has standart pentest of one target (for example yahoo)? One day, two or may be one week?
Can i become your apprentice 🙌🏻
Genial
Nyce
:)
You are so sweet 😂😂
can you pin your github link