I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!! Thank you so much for sharing your time and knowledge with the Community.
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces. Thanks for all your effort. You are doing great.
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
Really informative video, thanks!!!!!! I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
I’m really sorry I actually have midrolls turned off completely but RUclips will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
Next up: Q and A - midweek next week RCE bug in focus - 18th Jan CSRF finding your first bug - 25th Jan I often post in the channel community tab or on twitter when I know what my next video will be!
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
you've improved the sound quality
I finally figured it out!
Your videos are a gold mine! Thank you so much for making them free accessible and so understandable ❤️
You are so welcome!
Nobody:
InsiderPhD: "Howevaaaaaaar...."
Bri ish
@@reo4680 in'it
Really love your series 💖
I found my 1 st paid bb this week after completing your series love you 😘
I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!!
Thank you so much for sharing your time and knowledge with the Community.
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
Did you got some now?
You are an outstanding educator, please keep doing it! I just wanted to learn about enumeration for a project but now I'll binge the whole channel.
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces.
Thanks for all your effort. You are doing great.
You're absolutely correct, thank you for pointing out my mistake, I will issue a correction in the description
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
Aww thank you for being a supporter of my work
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
Wow, thank you so much
a great teacher, amazing and detailed explanation, thank you for your efforts ❤️🔥
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
I am OSCP/OSWE.. and i am starting to learn from you thanks @InsiderPhD keep the greater work up
Nice thank you! Been looking for a detailed api bug video.
This is what I was going to learn about today too! This is amazing! Thank you so much!
the way you explain things is just awesome.
This is still a well made presentation after 2 years.
Great video, this series is really helping me out. Looking forward to the next one!
My favourite youtuber at the moment :)
:O I’m so honoured!
thank you, thank you and thank you! Keep up the great work! Looking forward seeing more of your videos.
Your voice gives me a motivation, thank you so much❤❤❤❤
Hell yeah! Good luck on your hacking journey I’m glad I could inspire you
can you please elaborate what is "endpoint" at 33:52?
Was really waiting for something like this, Thank you so much
was looking for information and what u are doing for the community and for all is very helpful thank u for ur beautiful content
Hello Katie Its wonderful explanation can't wait to test APIs. Thankyou for sharing valuable information :))
love the comments on your notes "seems sus come back"
Really informative video, thanks!!!!!!
I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
Fantastic video, where shoould we look if we cant acces any ways to the apis becauser we dont have the crfs token or auth?
Thank u, it's really feels like, you have a talent of teaching people
How do you find xss in API? API responses are json content type is xss possible?
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
I really apricated your hard work behind your videos .. I love all the videos and learn lots of things thanks a lot
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
It’s really Great, thank you for changing your mic 😁😁😁
Great content. Keep it coming!
I am so happy I find your channel 🤩
you used mouse to write, that's awesome xD
Awesome 👍
Thank you Katie for this wonderful lesson...😄😄
This is brilliant, thank you! Any suggestions on where I can find CTFs to practice these techniques?
PortSwigger’s Web Security Academy, PentesterLab
Xcellent Video for Developers trying to start Hacking
Starting TOday Lets rock and roll :))
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
This is coming soon :) I’m going to do a video on more API testing tools!
Really helpful video keep it up!
Thanks for your great contents.
Wow! Good work, very clear.
Is there something i should know about before starting to learn this?? As i find this quite difficult in some parts
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
@@InsiderPhD thanks!
Really help full thank you
Microwave Oven, doo Doo Doo Doo Doo doo
Hey You made a great job , Thanks a lot
If you could provide those slides, that would be very helpful.
thanks, great video!!
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@@InsiderPhD Valid point.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
The reports you use in your examples, in the future could you give us the url for them so we can look them up? Thanks!
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
Awesome resource!
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
@@InsiderPhD keep up the great work on these great videos!!! Very informative!! Its greatly appreciated!
you should add link of your video in I button or in this description when you are talking about you some other videos
Excellent idea, thank you I will do this!
Thanks for this...really useful for me
Amazing video.. thx for contribution...
great training video, thanks for content \o/
Thank you so much !!
Thank you so much!! Very useful
thanks for the video 👍
thanks a lot for awesome information.
Great, however, how can I concentrate with an ad every minute. Thank you for your hard work .
I’m really sorry I actually have midrolls turned off completely but RUclips will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
I'm little bit confused @ 30:29 that means if we remove the cookies and the api accepts it... Does this bypasses Authorization... I'm confused
By removing cookies we are basically “logged out” which is why it works, there are many different type of IDORs but it’s a quick litmus test to check!
Got it..
Thanks so much!
1337 video! Is it just a chance or I am the 3337th person to view the video? :D
Awesome talk, thank you very much!!
Glad you liked it! More API videos coming really soon!
lovely voice🤩
Enumeration is a part of a larger recon process. Right?
Yup but sometimes not! API recon is often discovering endpoints while larger recon is usually exploring a scope in depth
@@InsiderPhD Exploring a scope could be finding the hidden endpoints. Isn't this also enumeration?
Hi Katie, thanks for this superb video. Do you have somewhere the presentation for download?
No, sorry, unless it's mentioned specifically in the video descriptions I don't make slides freely available, usually I do for conference talks!
@@InsiderPhD Ok, so I will take notes from your videos. :)
For Web Developers start at 14:30
really Great, thank you
Thank you
This was helpful
Plz tell which lecture are coming at what time means future schedule plz
Next up:
Q and A - midweek next week
RCE bug in focus - 18th Jan
CSRF finding your first bug - 25th Jan
I often post in the channel community tab or on twitter when I know what my next video will be!
Great video, please make a video on CSRF
Coming next week :)
Thank you so much
can you share the slide of this video?
Can you please share slides? BTW thank you so much. ❤🌹
please bring some practical beside theory
This was great. But, if you don't mind, can you please slow down a lil bit while talking?
Of course! Thank you for your feedback! I will definitely try to talk slower and pace myself better!
thank You
Reusing code by creating a web API is not being lazy, its being smart.
Of course! It’s just a joke :)! Using an API can also reduce development time when you’re managing a desktop, web and mobile app for example
can i get your PPT?
Thank
Can you make a good video on XSS explaining all of them briefly and ways to find it out easily
Great idea I will make this video!
How to find that api plz tell that
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
i have watched 'All' of your videos but never fined a bug
Keep an eye out I’m posting a video just for you soon!
@@InsiderPhD I would be so happy
it will be gud if u give reports link is description
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
mam your voice is very beautiful
huh
sorry for bad comment
You british?
Yup! From Surrey live in Manchester