Hacking APIs: Fuzzing 101
Вставка
- Опубліковано 13 чер 2024
- 00:00 Intro
00:34 What is Fuzzing?
02:00 Hands-on lab
13:18 Outro
Pentests & Security Consulting: tcm-sec.com
Get Trained: academy.tcm-sec.com
Get Certified: certifications.tcm-sec.com
Merch: merch.tcm-sec.com
Sponsorship Inquiries: info@thecybermentor.com
📱Social Media📱
___________________________________________
Twitter: / thecybermentor
Twitch: / thecybermentor
Instagram: / thecybermentor
LinkedIn: / heathadams
TikTok: / thecybermentor
Discord: / discord
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
/ thecybermentor
Support the stream (one-time): streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: amzn.to/31GN7iX
The Hacker Playbook 3: amzn.to/34XkIY2
Hacking: The Art of Exploitation: amzn.to/2VchDyL
The Web Application Hacker's Handbook: amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: amzn.to/31HAmVx
Linux Basics for Hackers: amzn.to/34WvcXP
Python Crash Course, 2nd Edition: amzn.to/30gINu0
Violent Python: amzn.to/2QoGoJn
Black Hat Python: amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: amzn.to/30d1UW1
EVGA 2080TI: amzn.to/30d2lj7
MSI Z390 MotherBoard: amzn.to/30eu5TL
Intel 9700K: amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: amzn.to/2M638Zb
Razer Nommo Chroma Speakers: amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: amzn.to/31MOgpu
My Recording Equipment:
Panasonic G85 4K Camera: amzn.to/2Mk9vsf
Logitech C922x Pro Webcam: amzn.to/2LIRxAp
Aston Origin Microphone: amzn.to/2LFtNNE
Rode VideoMicro: amzn.to/309yLKH
Mackie PROFX8V2 Mixer: amzn.to/31HKOMB
Elgato Cam Link 4K: amzn.to/2QlicYx
Elgate Stream Deck: amzn.to/2OlchA5
*We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites. - Наука та технологія
Oh wow! This is amazing and so quick. Thank you Alex, Heath and TCM!
Thanks for the content, really important and precise. TCM courses helped me a lot in my cybersec journey!
Never knew about this up until now. Good job bro.
Thank you
That was super informative. Thanks for thorough explanation.
Thanks for this videos, I just begin in the API pentest wave, and Its very interesting.
Much needed video 🤠📸
Great tutorial mate .Thanks
useful explanation - thank you!
Thanks for sharing this.
Super good! Thank you!
Great stuff
Nice video, sir, and thanks for sharing this valuable content with us.
please share moore videos about api enemuration and pentetst, with just basics
Great Content ...
Been in the coding game for the past 20 years and made a lot of mistakes and had my successes. But, what I don’t understand at all, is, who on Earth would code a Web-API and include direct file access like this, basically creating a reverse shell? (more or less). Do we really have such a significant amount of software out there, featuring this kind of flaw?
Yes, the main point is the methodology rather than the vulnerability. But, you'd be surprised, I've seen quite a few simple vulns like this in the past when carrying out pentests (granted, usually before the application is released - it's less likely you'll find this in the wild or during BB)
@@offsecprep a channel showing packet and pentesting of libre apps would be great and you sound like you could do it! To get started a unique and hugely popular video idea would be on hash /checksum app verification ON Android, FOR Android? Hash Droid is the only way I know of and I'm still not sure how to use it often (auto runs, zipped files, playstore vs Foxydroid or neostore) NOBODY has done this and it seems like THE most important thing to do!?...lots of.powershell vids on it but not everyone uses windows....also, is a chromebook really more secure than Linux as one tech (not cyber security) guy claims? He said cyber pros told him to use it or Linux in a virtual machine in windows
Amazing
IF THE LFI DIDNT WORK ON "ID param" could work on "author param" ? ( like the vulnb could work depend on the param right? ) or it also works on the other params?
(2:02, 5:21) Lab and Fuzz Parameter
(7:40) Wfuzz filter out 404
(11:33, 11:51) Wfuzz
I have the same chair, I was expecting more confort.
api endpoint give 404 error then what i do,
can anyone give me same tips?
how can i get api dictionary
I need wordlist txt
!!
:)
1st comment 😁
4th comment 😀
your volume is too low
🫡