Hey everyone! The Top 10 API bugs referenced in this video will actually be coming out next week, so you could do some recon over this week, and start hacking next week :) If you want to learn more I can recommend this resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm but expect that video next week!
Amazing video Katie on the API enumeration , we can also use cluster bomb settings in the burp intruder as follows Payload Set-1 -> HTTP Methods like OPTIONS,GET,HEAD,POST,TRACE, DELETE etc. Payload Set-2 -> our wordlists
Amazing video Katie. Please, please keep this up. Your content is really helpful. For many months I have been a lurker watching guides and methodologies, then load up burp and impostor syndrome kicks in before I begin. Your content has actually allowed me to finally try to hack. Very simple and friendly!
I have found an IDOR 4 days ago but I didn't knew it was API based until seeing this video. Thank you so much Katie for this wonderful explanation. Learned a lot of things from it.
38:33 remember to add -rate (and the limit of requests/sec always required on the rules to bug hunting the target) tanks for the content @InsiderPhD and have a blessed 2023 💯
Thanks for such amaizing content. Trying to understand all this it's like an old saying from where I grew up "The hope of the one who grows coconuts". (meaning that sometime times look like a never ending goal)
Yeah for sure! I didn't mention it because I couldn't get it to work on my demo API for some reason, but you're absolutely correct, I'll add a note in the description !
finally i saw a interesting video in yt... this channel is very interesting and knowledgable i keep watching in your videos hopefully you create more vids in youtube that helps for beginner like me... im from philippines i have alot of question in my mind and if thats okey to contact you its an honor for me. :) your fan from philippines. godbless.
Your content is amazing. My request for you to do some live bug bounty hunting on live target in streaming. So that we can learn things from you in more practical way.
I’d love to but there’s a lot of confidentiality issues in doing that if you check out the live API hacking and the teaching my mum to hack you can see me going over the process to assess a target!
Hi Katie! OMG! I don't know how I found your channel but I'm glad I did. My strengths lie in Cyber Security Analysis and this is a great piece for me to add. Your Pre-req video tho, did you change the name of it because I couldn't find it.......thanks for all you do!
Due to popular demand on twitter people wanted this video first so they could do some enumeration this week and bug hunt next :) it will be up on Saturday
@@InsiderPhD Yes ma`am! Sounds good to me. I've subscribed and turned on my notifications. And I've put it on my twitter page as well for the rest of the community to find and share!
Very nice video I learned so much with it, your explanation is amazing I would you like to ask you to increase the font on burp because it was very small :) Thank you very much for the video Katie
What's your suggestion regarding using a type of OS for low hanging fruits hunting; Windows or Linux? Which is better? Especially from a recon perspective?
I know this is year old but can someone please explain what it means when you're getting all these fake positives? I can enter a lot of these enumerations and it returns with a 200, however the responses seem entirely unchanged. On another note, when I try certain queries like anything almost with .json at the end it gives me 423 firebase locked by database owner. Also the reason I tried apoending.json to some of my requests is because when trying certain enums or when trying to execute json print commands in the body it prompted me to append .json to use the REST api. Someone please if you have any more knowledge I'd love to hear it.
Hi great vedio I know you are also best researcher on hackerone it is better to disclose your solve report poc videos and define it's better for everyone love from Pakistan
how to Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection in burp suite in any domain ???
Hi Katie, I came across an api where I can change number in request to send otp for verification to other number. Can I report this? I am currently logged into that account.
My dear PhD, as already said in my last comment, I confirm the esteem I have for you you are always inspirational. I know you've already talked in the past about "How to choose the company where to start bug hunting" however I would like to know from you what you think about the infinite (looong very looong) hiring policies: what is in-scope, what attacks/checks are allowed and what is not . Honestly? It's a huge nuisance every time you have to read all that long text! Do you haven advice to cut off quickly this boring pre-phase? Thank you! Your Italian Guy, G.R. :)
I'd love to tell you to just skip it! But it's super important as if you break those terms you're actually not protected legally and the company could report you to the police for breaking hacking rules. So I suggest you ALWAYS read it and make sure you NEVER go out of scope.
Great question, you can limit the number of requests in ffuf using the -p argument ( -p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0")
I use both! I am platform agnostic, I prefer the laptop for live events (lmao)! I prefer my Mac at the moment because it’s easier to film/work on for various reasons.
Usually there is a request to limit test to so many requests a second - check the program page. If not you should still be responsible but you are not limited (apart from maybe a firewall)
Due to popular demand this video came out first (I address it in the description) so the videos release schedules were swapped (so you could do recon this week, and hack next week), I can really recommend this for a great resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
for those who want to make word list of get a good word list i would recommend asset notes API routes word list it's really big and give really good results , Happy API Hacking
I can personally attest that Arjun is great. It's played a part in nearly all my xss, redirect, and injection bounties. However I can't get the --headers option to work with it. Anyone else have luck with it?
InsiderPhD thank you for being so helpful! So the “one command” you were talking about, is it section that says “URL encoded query to dump the database schema.” We can literally just copy and paste that and its useable? Again thank you so much
Hii.. my name is Thimothy.. i am following you from last 2 weeks ur really did a great job and i would like to follow you in Instagram but i cant found a instagram link in the description.. Will u provide a link?
Because it's a great way to get started and be more selective about your payloads, plus for a lot of people the cost is really too much, you can also use ffuf to fill in the gaps :)
putting dollars around user like $users$ for the url to iterate over a word list is kinda misleading. should've used a suitable variable name like $word$.
Hi, I'm big fan of your voice and contents. I have question. could you guide me? I'm not familiar with docker, so I don't know instructions. Now I have installed docker on kali, but I don't know next steps.(I'm trying to install the file you deployed (gist.github.com/InsiderPhD/f1eaa95b8479b54e8849beb596d669f5) Could you guide me? Thanks.
I believe Kali ships with Python, you can check with: python -V If not you should install Python via the package manager: apt-get install python36 Then you need to do: pip install requests And finally you can do: python arjun.py ...
Hey everyone! The Top 10 API bugs referenced in this video will actually be coming out next week, so you could do some recon over this week, and start hacking next week :) If you want to learn more I can recommend this resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm but expect that video next week!
Amazing video Katie on the API enumeration , we can also use cluster bomb settings in the burp intruder as follows
Payload Set-1 -> HTTP Methods like OPTIONS,GET,HEAD,POST,TRACE, DELETE etc.
Payload Set-2 -> our wordlists
Great suggestion! Especially with route api endpoints like /api/resource I think checking for additional HTTP methods is a great idea
Really great content and i can understand how much effort you have put in to get this content out , Thank you for helping the community
My pleasure! I love this community and I think it's my duty to give back to the community that helped me!
Doc, thank you so much for these videos. As a new comer to bug bounties your videos have been a lifeline.
Amazing video Katie. Please, please keep this up. Your content is really helpful.
For many months I have been a lurker watching guides and methodologies, then load up burp and impostor syndrome kicks in before I begin. Your content has actually allowed me to finally try to hack. Very simple and friendly!
Thank you so much! It's going to be hard but you can do it! Just keep trying!
This is totally what I was looking for and here you just upload it. I am blessed. You blessed. Thank you and keep going.
You're very welcome! Happy hacking!
Amazing as usual. Keep posting once every week❤
Thank you! Will do! See you next week :)
Watched this video almost like 4 times still learning things
Your videos are so great! Thank you. Definitely my favourite channel about bug bounty
Thank you so much for your vids I am finally starting to get my head around APIs thanks to all your stuff. The hunt begins this weekend.
I have found an IDOR 4 days ago but I didn't knew it was API based until seeing this video. Thank you so much Katie for this wonderful explanation. Learned a lot of things from it.
Congrats on finding an IDOR! Was it your first bug? Glad I could help
@@InsiderPhD It was by 3rd bug actually. But i got my 1st 4digit bounty from this. Thank you so much Katie. Keep sharing things.
Leonidas D. Ace wow! That’s incredible fantastic job :)
@@InsiderPhD Thank you Katie. Will be waiting for your next video
I have watched the Full video , Thank you very much Katie , I am Regularly following this playlist of API Hacking
38:33 remember to add -rate (and the limit of requests/sec always required on the rules to bug hunting the target)
tanks for the content @InsiderPhD and have a blessed 2023
💯
Thanks for such amaizing content.
Trying to understand all this it's like an old saying from where I grew up "The hope of the one who grows coconuts". (meaning that sometime times look like a never ending goal)
1- finding ur first bug
2- firefox containers
3- api top 10
4- api enumeration
Thanks, the audio is very clear
Really good content .
You actually make videos with all dedication( I feel). Really you deserve very big thankyou!
Thank you so much 😀
Awesome! Im a bit out of date of this one but appreciate these kind of videos!
great video I have a little bit notice you could also use parma miner extension on burpsuite it's also geat extension to find the hidden parameter
Yeah for sure! I didn't mention it because I couldn't get it to work on my demo API for some reason, but you're absolutely correct, I'll add a note in the description !
@@InsiderPhD thanks man so much for doing awesome content
finally i saw a interesting video in yt... this channel is very interesting and knowledgable i keep watching in your videos hopefully you create more vids in youtube that helps for beginner like me... im from philippines i have alot of question in my mind and if thats okey to contact you its an honor for me. :) your fan from philippines. godbless.
Really it's a very helpful video and yes, your all videos are a bunch of knowledge!
Thank you so much for your video katie! still searching for my first bug here, hope to find it soon!
Good luck! finding your first is all about preserving!
Did you find yet?
you inspire the world. keep up the good work
Thanks Katie!!!! I love your videos, please keep going with videos like this, Great content
Thank you! Will do!
I wish Intigriti sponsored a sports club. That logo would look good on a shirt.
Your content is amazing. My request for you to do some live bug bounty hunting on live target in streaming. So that we can learn things from you in more practical way.
I’d love to but there’s a lot of confidentiality issues in doing that if you check out the live API hacking and the teaching my mum to hack you can see me going over the process to assess a target!
Hi Katie! OMG! I don't know how I found your channel but I'm glad I did. My strengths lie in Cyber Security Analysis and this is a great piece for me to add. Your Pre-req video tho, did you change the name of it because I couldn't find it.......thanks for all you do!
Due to popular demand on twitter people wanted this video first so they could do some enumeration this week and bug hunt next :) it will be up on Saturday
@@InsiderPhD Yes ma`am! Sounds good to me. I've subscribed and turned on my notifications. And I've put it on my twitter page as well for the rest of the community to find and share!
amazing katie as always............
You are doing great
You're so welcome!
This is a great video. I wish I could also get the slides that you are using.
Very nice video I learned so much with it, your explanation is amazing
I would you like to ask you to increase the font on burp because it was very small :)
Thank you very much for the video Katie
Thank you for the feedback, definitely going to take that on board! I will make sure to make it a little bigger!
Awesome content, I hope you are doing great, keep it up the great work, cheers!!
hello woman ,i've just discovered your channel amazing content thank you and keep it up
Welcome! Thank you for enjoying my content!
thanks a lot for sharing your knowledge, that is amazing!
could see you use LastPass there. Im looking to use a password manager, do you recommend it? Can I trust that it’s secure?
What's your suggestion regarding using a type of OS for low hanging fruits hunting; Windows or Linux? Which is better? Especially from a recon perspective?
Good work katie.
This is so good!!! Pls pls pls do a graphql vid ❤️
I was planning too but then I got beaten to it! I highly recommend Farah's video ruclips.net/video/OQCgmftU-Og/видео.html
I know this is year old but can someone please explain what it means when you're getting all these fake positives? I can enter a lot of these enumerations and it returns with a 200, however the responses seem entirely unchanged. On another note, when I try certain queries like anything almost with .json at the end it gives me 423 firebase locked by database owner. Also the reason I tried apoending.json to some of my requests is because when trying certain enums or when trying to execute json print commands in the body it prompted me to append .json to use the REST api. Someone please if you have any more knowledge I'd love to hear it.
Thank You Katie.
Hi great vedio I know you are also best researcher on hackerone it is better to disclose your solve report poc videos and define it's better for everyone love from Pakistan
Hi katie, thanks for great content in vidieo. This asw, wait next your vidieo 😍
Yay! Thank you! It's really nice to hear such kind feedback, thank you for taking the time to let me know what you thought!
Katie will you crate video-lesson, how you created your api-app.php?
Simply Excellent!!!
how to Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection in burp suite in any domain ???
Thanks Katie 😍 .
Great Video Katie.
Hi Katie, I came across an api where I can change number in request to send otp for verification to other number. Can I report this? I am currently logged into that account.
awesome video content best on youtube .and can you please continue Next bug series ☺☺
Yup, right now I'm just moving between series that I find interesring!
@@InsiderPhD thank a lot are there any way to contact you please give us a method
My dear PhD, as already said in my last comment, I confirm the esteem I have for you you are always inspirational.
I know you've already talked in the past about "How to choose the company where to start bug hunting" however I would like to know from you what you think about the infinite (looong very looong) hiring policies: what is in-scope, what attacks/checks are allowed and what is not . Honestly? It's a huge nuisance every time you have to read all that long text! Do you haven advice to cut off quickly this boring pre-phase?
Thank you! Your Italian Guy, G.R. :)
I'd love to tell you to just skip it! But it's super important as if you break those terms you're actually not protected legally and the company could report you to the police for breaking hacking rules. So I suggest you ALWAYS read it and make sure you NEVER go out of scope.
liked before watching
Awww :) thank you!
Excellent content as always, thanks for all your work and effort ,a question, how can I avoid '429 too many requests' responses in FFUF?
Great question, you can limit the number of requests in ffuf using the -p argument ( -p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0")
@@InsiderPhD Oh, great!, thank you, Katie
Following up a year later to share that newer versions of ffuf offer a “-limit” (or similar) flag to do the inverse - how many requests per second.
Thanks for another Great Video :)
My pleasure!
Thank you Katie!
Awsome video!!!
Wow. Thanks.
Just one question, do you also use that windows machine in your bug bounty hunting?
I use both! I am platform agnostic, I prefer the laptop for live events (lmao)! I prefer my Mac at the moment because it’s easier to film/work on for various reasons.
@@InsiderPhD Cool. Thanks for the response. Looking forward for more informative videos from you. Cheers.
In 1 to 10 you're 11 katie
Great Video !
nice tutorial
How do i get website that she used for demo so that i can practice with it? Someone help.
thank you
Hey I really like your video! But I have a little question. Am I allowed in bug bounty programms to send so many requests per second ?
Usually there is a request to limit test to so many requests a second - check the program page. If not you should still be responsible but you are not limited (apart from maybe a firewall)
A lots of love.... ❤❤❤❤❤
Amazing content
Katie I've just looked for the video that you reference in the intro "Top 10 API bugs" but I can't find it?
Due to popular demand this video came out first (I address it in the description) so the videos release schedules were swapped (so you could do recon this week, and hack next week), I can really recommend this for a great resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm
I learn so many thing and also I'm from india Arjun is awesome it's my best frnd name 😂
Hello, Sorry I can't find Top 10 API bugs in your channel. Can you post the link please? Thanks
It will be out on Saturday :)
Why you discontinued the series ?
for those who want to make word list of get a good word list i would recommend asset notes API routes word list it's really big and give really good results , Happy API Hacking
I can personally attest that Arjun is great. It's played a part in nearly all my xss, redirect, and injection bounties. However I can't get the --headers option to work with it. Anyone else have luck with it?
What’s the one command to enumerate graphql? I don’t remember it from the previous videos.
Here you go : github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md
InsiderPhD thank you for being so helpful! So the “one command” you were talking about, is it section that says “URL encoded query to dump the database schema.” We can literally just copy and paste that and its useable? Again thank you so much
Yup that’s the one
InsiderPhD amazing thank you!
Interesting
Not able to setup generic uni api can anyone help?
You no longer need to! You can head to bughuntr.io and it's completely accessible in the browser
IDOR is a CSRF?
tanks
Wtf
Hii.. my name is Thimothy.. i am following you from last 2 weeks ur really did a great job and i would like to follow you in Instagram but i cant found a instagram link in the description.. Will u provide a link?
Sorry I don't use instagram, only twitter I'm afraid!
🦋
Katie. Your awesome!!!! And ur cute❤️
♥️
lotta IoT devices use SOAP
how its fine to use community edition, when it works slow AF
Because it's a great way to get started and be more selective about your payloads, plus for a lot of people the cost is really too much, you can also use ffuf to fill in the gaps :)
Hey when will you upload the video on BrupSuite :)
Very soon, not 100% on timescales, but how to use intruder/repeater are next on my lists
@@InsiderPhD Thank you :D Waiting for your video
Wooo
Mam tutorial video plsz
Sure! What would you like me to cover, I love getting suggestions!
1 Comment
putting dollars around user like $users$ for the url to iterate over a word list is kinda misleading. should've used a suitable variable name like $word$.
Who disliked your video, give me the name of these people i will hack them.....
:) :) :)
Hi,
I'm big fan of your voice and contents.
I have question. could you guide me?
I'm not familiar with docker, so I don't know instructions.
Now I have installed docker on kali, but I don't know next steps.(I'm trying to install the file you deployed (gist.github.com/InsiderPhD/f1eaa95b8479b54e8849beb596d669f5)
Could you guide me? Thanks.
I believe Kali ships with Python, you can check with: python -V
If not you should install Python via the package manager: apt-get install python36
Then you need to do: pip install requests
And finally you can do: python arjun.py ...
I wish there were shorter videos for „more advanced“ people... a version of the key points that last maybe 15 minutes...
I think it's really important to get all the info, but I have added chapters so people who are familiar can skip through videos easily!
Interesting