I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!! Thank you so much for sharing your time and knowledge with the Community.
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces. Thanks for all your effort. You are doing great.
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
Really informative video, thanks!!!!!! I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
Next up: Q and A - midweek next week RCE bug in focus - 18th Jan CSRF finding your first bug - 25th Jan I often post in the channel community tab or on twitter when I know what my next video will be!
I’m really sorry I actually have midrolls turned off completely but UA-cam will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
Mate I did both h101 graphql labs. I gotta say, I understood f*ck all from that. Did both on my own, never interacted with graphql before that, had blackhat graphql open in a separate tab, just scrolled for something that looked similar to the task. I guess learning hands-on isn't for me
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
you've improved the sound quality
I finally figured it out!
You are an outstanding educator, please keep doing it! I just wanted to learn about enumeration for a project but now I'll binge the whole channel.
Your videos are a gold mine! Thank you so much for making them free accessible and so understandable ❤️
You are so welcome!
I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!!
Thank you so much for sharing your time and knowledge with the Community.
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
Wow, thank you so much
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces.
Thanks for all your effort. You are doing great.
You're absolutely correct, thank you for pointing out my mistake, I will issue a correction in the description
Really love your series 💖
I found my 1 st paid bb this week after completing your series love you 😘
Nobody:
InsiderPhD: "Howevaaaaaaar...."
Bri ish
@@reo4680 in'it
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
Aww thank you for being a supporter of my work
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
Did you got some now?
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
a great teacher, amazing and detailed explanation, thank you for your efforts ❤️🔥
I am OSCP/OSWE.. and i am starting to learn from you thanks @InsiderPhD keep the greater work up
the way you explain things is just awesome.
Nice thank you! Been looking for a detailed api bug video.
thanks for your video my gurl
My favourite youtuber at the moment :)
:O I’m so honoured!
can you please elaborate what is "endpoint" at 33:52?
This is still a well made presentation after 2 years.
thank you, thank you and thank you! Keep up the great work! Looking forward seeing more of your videos.
Hello Katie Its wonderful explanation can't wait to test APIs. Thankyou for sharing valuable information :))
Great video, this series is really helping me out. Looking forward to the next one!
This is what I was going to learn about today too! This is amazing! Thank you so much!
Your voice gives me a motivation, thank you so much❤❤❤❤
Hell yeah! Good luck on your hacking journey I’m glad I could inspire you
was looking for information and what u are doing for the community and for all is very helpful thank u for ur beautiful content
Was really waiting for something like this, Thank you so much
I am so happy I find your channel 🤩
I'm little bit confused @ 30:29 that means if we remove the cookies and the api accepts it... Does this bypasses Authorization... I'm confused
By removing cookies we are basically “logged out” which is why it works, there are many different type of IDORs but it’s a quick litmus test to check!
Got it..
Thank u, it's really feels like, you have a talent of teaching people
Thank you Katie for this wonderful lesson...😄😄
How do you find xss in API? API responses are json content type is xss possible?
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
Fantastic video, where shoould we look if we cant acces any ways to the apis becauser we dont have the crfs token or auth?
This is brilliant, thank you! Any suggestions on where I can find CTFs to practice these techniques?
PortSwigger’s Web Security Academy, PentesterLab
I really apricated your hard work behind your videos .. I love all the videos and learn lots of things thanks a lot
Great content. Keep it coming!
Really informative video, thanks!!!!!!
I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
It’s really Great, thank you for changing your mic 😁😁😁
Xcellent Video for Developers trying to start Hacking
Thanks for your great contents.
Wow! Good work, very clear.
The reports you use in your examples, in the future could you give us the url for them so we can look them up? Thanks!
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
This is coming soon :) I’m going to do a video on more API testing tools!
Hey You made a great job , Thanks a lot
Is there something i should know about before starting to learn this?? As i find this quite difficult in some parts
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
@@InsiderPhD thanks!
For Web Developers start at 14:30
Amazing video.. thx for contribution...
Really helpful video keep it up!
Hi Katie, thanks for this superb video. Do you have somewhere the presentation for download?
No, sorry, unless it's mentioned specifically in the video descriptions I don't make slides freely available, usually I do for conference talks!
@@InsiderPhD Ok, so I will take notes from your videos. :)
Enumeration is a part of a larger recon process. Right?
Yup but sometimes not! API recon is often discovering endpoints while larger recon is usually exploring a scope in depth
@@InsiderPhD Exploring a scope could be finding the hidden endpoints. Isn't this also enumeration?
If you could provide those slides, that would be very helpful.
thanks, great video!!
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@@InsiderPhD Valid point.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
Awesome talk, thank you very much!!
Glad you liked it! More API videos coming really soon!
Thanks for this...really useful for me
Awesome 👍
love the comments on your notes "seems sus come back"
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
great training video, thanks for content \o/
Starting TOday Lets rock and roll :))
thanks for the video 👍
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
@@InsiderPhD keep up the great work on these great videos!!! Very informative!! Its greatly appreciated!
thanks a lot for awesome information.
Really help full thank you
you should add link of your video in I button or in this description when you are talking about you some other videos
Excellent idea, thank you I will do this!
Thank you so much!! Very useful
you used mouse to write, that's awesome xD
Awesome resource!
Great video, please make a video on CSRF
Coming next week :)
Plz tell which lecture are coming at what time means future schedule plz
Next up:
Q and A - midweek next week
RCE bug in focus - 18th Jan
CSRF finding your first bug - 25th Jan
I often post in the channel community tab or on twitter when I know what my next video will be!
Thank you
This was helpful
really Great, thank you
lovely voice🤩
Thank you so much !!
Thanks so much!
Microwave Oven, doo Doo Doo Doo Doo doo
where can i practice api hacking?
Burp Suite Academy ,TryHackMe, apisec university
Soooo… where do I click to find the api, I’m honestly so confused rn
Great, however, how can I concentrate with an ad every minute. Thank you for your hard work .
I’m really sorry I actually have midrolls turned off completely but UA-cam will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
1337 video! Is it just a chance or I am the 3337th person to view the video? :D
Mate I did both h101 graphql labs. I gotta say, I understood f*ck all from that. Did both on my own, never interacted with graphql before that, had blackhat graphql open in a separate tab, just scrolled for something that looked similar to the task. I guess learning hands-on isn't for me
Thank you so much
Can you please share slides? BTW thank you so much. ❤🌹
can you share the slide of this video?
Can you make a good video on XSS explaining all of them briefly and ways to find it out easily
Great idea I will make this video!
Reusing code by creating a web API is not being lazy, its being smart.
Of course! It’s just a joke :)! Using an API can also reduce development time when you’re managing a desktop, web and mobile app for example
please bring some practical beside theory
How to find that api plz tell that
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
This was great. But, if you don't mind, can you please slow down a lil bit while talking?
Of course! Thank you for your feedback! I will definitely try to talk slower and pace myself better!
it will be gud if u give reports link is description
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
thank You
i have watched 'All' of your videos but never fined a bug
Keep an eye out I’m posting a video just for you soon!
@@InsiderPhD I would be so happy
can i get your PPT?
Thank
thx
mam your voice is very beautiful
sorry for bad comment
huh
You british?
Yup! From Surrey live in Manchester