16:00 should most definitely be considered information disclosure. Even if emails are considered public, the full name associated is returned, and other internal information is exposed which can further future attacks. No reason for ID, verified status, or creation time should be returned, even if you consider name and email public. These values can be used to further future attacks; for example, a lot of password functionalities compute reset strings based on epoch time of registration concatenated with ID, maybe a substring of PW hash, then hashed. Knowing this info can reduce the entrophy. Exposing the IDs which are often used as unique identifiers, can also aid in targeted broken access control attacks, such as pulling someones specific details down with a unique identifier which otherwise wouldnt be known by the attacker.
So I found an api , and found a root user with its apikey. And in their website they explain we can access the api with /api/v1/submit/. I substitute the but I get a status: unauthorized. Any suggestions of what’s going on here ? (I can’t seem to log in to any user )
I just downloaded the linux docker for GU and I was able to find the users/1,2,3 on my own before watching any of this. Of course, i'm glad this exists as an explanation of what can be found. Thanks Katie.
Is it viable to spider out a list of subdomains with gospider/waybackurls and then grep the file for any line that contains /api/? Or are you likely to miss things by doing that
Katie, you mentioned one way to find APIs is to manually walk through the app, pressing every button and link. How is this different or better than doing a scan against the root of the application?
It’s not really ! But RESTful APIs can be really difficult to enumerate since you need the correct words in your word list, and they can be really target specific. Check out TomNomNoms recent talk from NahamCon about them for more info!
GraphQL works really differently to RESTful APIs but it's really just the syntax, the bugs are all the same, I'm working on a video right now for GraphQL :)
You can definitely use postman! I focus on doing things with as little tooling as possible in videos to show that you can get comfortable with something before trying a new tool. I personally don’t use postman a ton but I do use it! It’s really useful as it’s more purpose built for interacting with APIs but Burp works great with APIs, it’s certainly not a necessity
Your content is reaaaally great, I enjoy a lot learning from you it's so instructive. Looking forward to find my first bug with all this great help ! Thanks from Belgium !
Endpoint just means URL that does something, so youtube.com/watch doesn't do anything so it's not an endpoint but add the video ID and you're taken to the video page, that is an endpoint because it does something
Same for me. Using "PUT /api/grades/1 " with content type set to application/json and new grade in the body - update doesnt work, grade stays the same with a 200 response. Any ideas?
Definitely an option, for this particular API it would be quite difficult to create a custom word list as not much of the API is exposed via source files
i tested a complete API collection after learning from you.
So this API looks pretty simple... How about APIs that are behind 2FA and proper IDPs like Google Auth?
16:00 should most definitely be considered information disclosure. Even if emails are considered public, the full name associated is returned, and other internal information is exposed which can further future attacks.
No reason for ID, verified status, or creation time should be returned, even if you consider name and email public. These values can be used to further future attacks; for example, a lot of password functionalities compute reset strings based on epoch time of registration concatenated with ID, maybe a substring of PW hash, then hashed. Knowing this info can reduce the entrophy. Exposing the IDs which are often used as unique identifiers, can also aid in targeted broken access control attacks, such as pulling someones specific details down with a unique identifier which otherwise wouldnt be known by the attacker.
Maybe due to live video and asking the audiences Question. I feel bored watching the pre record 😂
(17:07) - Where do you see roleid in the jason output?
(20:55) - Edit
awesome tutorial! I learnt so much!! thank you
Can i become your apprentice 🙌🏻
Great content, congratulations!
Awesome Explanation ❤
thanks, I have been waiting for this
can you pin your github link
Fantastic video ever i have seen, great work 😉😉
So I found an api , and found a root user with its apikey. And in their website they explain we can access the api with /api/v1/submit/. I substitute the but I get a status: unauthorized. Any suggestions of what’s going on here ? (I can’t seem to log in to any user )
Fantastic content as always! Very informative and well presented. Keep up the wonderful work.
Very appreciable content Katie. Please keep making these . Best wishes.
Thank you! Will do! I'm hoping to do some more live sessions but they require a lot of prep work so soon I promise!
This is top tier content
I ended up sleeping through my alarm but would robots.txt be a good one to add to the list?
Yeah for sure, you can see SecLists for a list of common API endpoints (I didn’t due to time+usefulness constraints on this application)
Nobody:
UA-cam: HACK APIS
I just downloaded the linux docker for GU and I was able to find the users/1,2,3 on my own before watching any of this. Of course, i'm glad this exists as an explanation of what can be found. Thanks Katie.
:)
do you have video, how install this vuln local php app?
Not yet, but I'm working on something at the moment :D
@@InsiderPhD ок, Katie, and how many times, has standart pentest of one target (for example yahoo)? One day, two or may be one week?
Always cool and fresh ! thank you for this amazing content
Is it viable to spider out a list of subdomains with gospider/waybackurls and then grep the file for any line that contains /api/? Or are you likely to miss things by doing that
That would definitely work, this is actually I'm going to be covering soon on the channel, particularly how to get the most out of subdomain enum.
I just want to say your voice is so soothing
Katie, you mentioned one way to find APIs is to manually walk through the app, pressing every button and link. How is this different or better than doing a scan against the root of the application?
It’s not really ! But RESTful APIs can be really difficult to enumerate since you need the correct words in your word list, and they can be really target specific. Check out TomNomNoms recent talk from NahamCon about them for more info!
Very good content and i started bug bounty by watching your videos. Can you tell me how will it be if the api is using graphql?
GraphQL works really differently to RESTful APIs but it's really just the syntax, the bugs are all the same, I'm working on a video right now for GraphQL :)
You are awesome Katie. This video helped me so much in understanding api. Thank you for all your hard work.
thanks Katie for this demo! for hacking APIs do you also use Postman to interact with an API? or again Burp is there to rule 'em all?
You can definitely use postman! I focus on doing things with as little tooling as possible in videos to show that you can get comfortable with something before trying a new tool. I personally don’t use postman a ton but I do use it! It’s really useful as it’s more purpose built for interacting with APIs but Burp works great with APIs, it’s certainly not a necessity
How did you set up the lab
Your content is reaaaally great, I enjoy a lot learning from you it's so instructive. Looking forward to find my first bug with all this great help ! Thanks from Belgium !
Well done! :)
We’re doing it live! 😂😂 Cyber mentor recommended you and he was right, you’re awesome!
hehe..the cyber mentor is Awesome too!
Hi, great live video to see it in practice! What does endpoint mean?
Endpoint just means URL that does something, so youtube.com/watch doesn't do anything so it's not an endpoint but add the video ID and you're taken to the video page, that is an endpoint because it does something
Thank you very much
unable to perform edit response is same even after I perform edit
Same for me. Using "PUT /api/grades/1 " with content type set to application/json and new grade in the body - update doesnt work, grade stays the same with a 200 response. Any ideas?
You are so sweet 😂😂
Genial
thanks man so so so so much
Loved the Live Interactive Demo. Please, more of these! I joined Intigriti and I just bought you a coffee!!!!
Thank you for watching, interacting and donating ❤️ have fun with Intigriti! I’m definitely going to do some more of these!
10:44 what about using CeWL to generate a custom wordlist?
Definitely an option, for this particular API it would be quite difficult to create a custom word list as not much of the API is exposed via source files
@@InsiderPhD Thank you!
Awesome video!
Nyce
Awesome
very helpfull
Content like this is worth paying internet. Thanks !
Aww, that's so kind of you, thank you!
Thanks Katti3
Awesome content.
Excellent content. Could be great if at the end you could provide more further reading.
Good idea! This piece of software is entirely my own work but a good place to learn API security is apisecurity.io