API hacking for the Actually Pretty Inexperienced hacker with Katie Paxton-Fear - OWASP DevSlop

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello everyone welcome to the Olas death slop show thank you for being here today our guest is Katie Paxton fear she's a PhD student in cybersecurity and machine learning hi Katie hi it's nice to be here thank you for having me my pleasure and before we start I want to introduce Mike my co-host Tanya Jenkins hey probably rightly sorry don't forget you at the end yes I will thank you I'm Nicole Becker hey everyone and I'm Nancy Yoshi Thank You Danny for me so yes so what do you have prepared for us today I think everyone's really excited to talk about API hacking so go ahead Katie so hey everyone I know quiet I see a lot of kind of familiar faces people see it on my You Tube channel 4 so thank you very much for coming and coming over to dev dev slop obviously and thank you very much for dev slop for inviting me and thanks for the people like watching who are like my view who are watching just because they want to see some cool talks so today I'm going to be talking about API hacking for the actually pretty and experienced hacker as you can see I am a comedic genius because the letters make up API so with my evidently extreme knowledge of comedy out of the way I am going to basically give a talk about how I is a bug bounty hunter approach api's and how to kind of you can kind of do that to I know some people here are gonna be interested in bug bounties in which case I hope from this you take kind of the I want to look at API is now and that would be really interesting I know some people are actually coming from to the other side perhaps an app SEC or maybe you can penetration testing and this might be you know way more new info especially when dealing with the difference between kind of being an internal actor so knowing what exists behind a firewall and the external whereas bug bounty hunters we don't really know what's on the other sides we just keep poking it and be like something must happen so I have some slides cool great so I'm going to so I can't see the chat when I open the slides so I'm going to ask if someone could read out any kind of particularly like questions in the moment but try to add them on the screen as well cool and you'll be able to see them nice so if you have more questions that haven't answered or you maybe don't feel comfortable bring it up in this context you're of course always welcome to contact me privately you can do so on Twitter you couldn't wait till the end the presentation will be more quiet like you can answer questions there don't feel like this is your one and only opportunity to ask questions and feel pressured anyway so with that all done and let's get into it great so a little bit about me I know some people come from a YouTube channel who know who I am so my name is Katie I am at inside a PhD and this is a lovely photo of me taking that hacker one live event see very own brand stickers all over the laptop that's how you know I know what I'm talking about my day job is really a PhD student but I think I'm probably more well known for what I do in my free time which is being a bug bounty hunter and I'll also make youtube videos for beginners who are really interested in learning about bug bounties and my videos really focused on teaching bug bounty hunting to new people not a lot of people focus on bug bounties in particular you tend to get a lot more of the penetration testing osep that kind of level you don't tend to get a lot on bug bounty hunting so I sometimes talk about specific bugs and split about you know the kind of here's how you find something but actually I also talk about a lot of what you might think of as professional skills like how to choose a target how to create goals how to take notes that kind of skill as well so in terms of my educational and my professional background I have a bachelors in computer science and my former job when I had a job when I had a real job and I wasn't just a student again was as a developer but specifically as a data scientist so I really approached security from an outside perspective I'm completely self-taught I've had no courses no training everything I've learned I've learned on my own through YouTube through articles through everything so what am I going to talk about as a summary umm api's now api's have wonderful things for a bug bounty hunter and of course any kind of malicious act and not just the good actors they power everything they power everything from you fridge to your phone to your favorite apps to your laptop whatever is powered by api's they parallel things and they are full of security vulnerabilities and this is fantastic for a bug bounty hunter cuz all we hear when we hear full of security vulnerabilities is the sound of a cash register going ching ching ching ching ching so obviously we quite like api's and this talk is gonna be about how eyes of bug bounty hunter approach api's and i'm gonna do a demo just where to show you what we've learned so we're gonna really be answering questions like how do I get started how the hackers approach targets what are they looking for has they gather on the right track and my demo is gonna be a bit about my approach and key vulnerabilities how we exploit them and I'm hopefully gonna have some time to show how the code is responded what the code responsible is and how developers can actually quite easily fix these issues so first we need to learn before you start any of this is the basics what is an API and what is it that like I know a lot of people might already be familiar with what an API does when it looks like etc etc so those just sit back get settled in but for everybody else what is the API so API stands for application programming interface and as for a lot of acronyms that you'll see on this slide show and in bug bounty hunting and security in general it means nothing it doesn't really explain what it is it basically provides a computer friendly method of interacting with a data source or back-end logic they exist in mobile or web an IOT exists everywhere and the benefit of that is really that developers can be lazy because if you have a web app and a mobile app and you don't really want to make both you make an API and then both can kind of get the data from the API and that's the real benefit there you keep the API up to date and then a mobile app and web app will update accordingly and and a lot of the examples that we'll see we'll see directly to a database it doesn't always have to be directly to a database or data source so the basics words they look like now I've pulled out on the slides here two types of api's now the first is a restful api which is what we're going to focus on today and the second is a graph a graph QL api now graph QL is a lot rarer it's definitely becoming more common especially as it kind of provides a different way of interacting with any API or data source web is quite liked but we're only gonna focus on restful api sterday so api is return plain text and commonly this is json or xml now XML is like very old-school okay that's what like the generation before did all the cool cats now they use JSON right so Jason's far more common nowadays there's may different types I've shown you graphical and restful but that's not the only kind you have soap old-school again restful api json is primarily what you see on the internet it's not the only thing you see but it's the one you will see be most off so these often returned data directly from the database or some back-end logic so if we look at our example up here we just change my pointer to be a laser pointer here we go if we look at our example up here we've got get employee - one now that's our endpoint there and that's the type of request for making so we're making a request to the employee - one endpoint now what this is really doing is returning a database record our employee and related records so this is the kind of the equivalent of doing a select from employee or select star from employee where ID equals one that's it that's very simple and then here you can see with items were kind of iterating through another kind of related record if you like so very straightforward kind of this is how it works now it's about the about JSON because it's really important if you want to get into API testing though you learn JSON like it's the back of your hand you should be able to identify JSON in like a few seconds so what is Jayson though it's a way to represent data in a text format and like we said before API is are really about making it easy for the machine to understand what we're what what we're trying to send it and how JSON really achieves that is by using this idea of objects now we always hit objects in the form of object-oriented programming same deal you know when we deal with IOP programming we're looking at you know objects or classes an object from a class and then objects have objects that have objects that have objects and its objects all the way down so JSON is a way to take that kind of structure and put it onto a tab like plain text so they always start with a curly brace and end with what and then inside we have objects which are our curly braces and array lists which are square braces so here menu is our object and it contains everything from this one here to this one here and here menu item is an array which contains three objects here so within those you kind of have these key value pairs which are storing the data now that can also store arrays and objects right same thing as kind of how we think about the only people grabbing is how do you think about this it's important to become familiar with reading JSON to really do if you're not already familiar with it take the time to learn it because if you couldn't understand how this works it will be like key for understanding how to approach API hacking so we don't want API is now we know the data it's giving us back well what else can you tell me about API RESTful API endpoints now this is really important when we talk about API types are really talking about structures and developers love api's that have structures right because structures mean that you could quite easily kind of predict where you should go next so developers are familiar with this idea called crud if you're maybe not a developer from a developer background crowd stands for create read update delete which refers to every kind of operation we can do on the thing we can create a new thing we can read it we can update it with new data or we can delete it completely so for a restful api and they're actually really easy to spot because they have this quite defined structure which relates to its credit for charity so our first one here we've got create and that will always be a post request - - resource name in this case posts if we're reading it it will always be get posts and then slash the ID if we're updating it then we start to have a little bit of a kind of difference and that's usually due to the fact that not everything will support the verb put or delete so you might see it as post or you might see it as put or for delete you might see it and you might also see it as pushed so what's the benefit of that well you can quite easily predict new endpoints by simply knowing an application you can start to use some logical inferences if a if you choose API submit like get / videos / 1 you can assume that maybe delete also exists that has videos maybe it has comments you know they are widely used but some of the endpoints may be more custom especially when you start to deal with back-end logic you start to get developers going a little bit off script and trying out new things so that is the very basics of api's and the more you start to interact with api's especially as a like a security person you'll start to really have a better understanding of how they work and especially if you're a developer hell if you're a developer and you Larry do that listening to this presentation going oh I wish I could do that you have a major advantage just go and get started because a developer looking at an API will be able to look at that go yes I see every mistake I've ever made in this API so let's start the fun stuff hacking api's how do we actually test an API for security vulnerabilities wait a second before we test the api's we need to understand our attack surface we need to understand you know what we can actually see from the outside we don't really know every endpoint you know someone whose internal who's doing an internal penetration test might have a list of resources they might be able to ask somebody hey can I have a copy of the database please where I can check all the API endpoints but actually from the outside we don't have access to that information so we need to know what it does why exists and what arguments it needs to actually work so we need to figure out figure this out and this is our recon stage or as I'm calling it a numerating api's so how do we actually test an API for security vulnerabilities we can't we need to enumerate it first we know what we need to test so not hacking a new rating API why why do we actually do it well a new rating and API is the first test first step for an API test it's very important for API testing enumeration API mean allows you to know that you know everything within the API now it's really easy when you're dealing with you know a thousand requests to get bogged down in the details but actually what you need to know is what does this one this one this one this one this one do what arguments does it need etcetera etc so our goal is really to use our knowledge on how endpoints are constructed to find more resources we want to be like finding every single path we can take what does it need no we don't want to just sit there and go well if users one don't edit exists guess we don't need to test anything else we're done no we're gonna cook for orders - wander edit so it was a little differently for restful and graph QL but I'm only gonna focus on restful api eyes and why is that well they're the hardest to enumerate we need to get the resource name so as you saw before with the crud we need to know that API slash one slash posts exists we need to be able to figure out what else might exist now there's kind of two ways of doing this I'll give readers a third which I'll talk about a second the first one is to find common resource names now this is a list of common restful endpoints or a word less for some targets especially in bug bounty the community tends to just figure out someone and they'll post their word list the next one is by looking at you know customizing it you know the functionality of the app you can cure it some likely endpoints does the app power forum try post reply you know if you're looking for an e-commerce website I think you'd be very hard-pressed to find one that doesn't include orders or products etc and the third way is kind of a combination of the two there's a very good video that Nahum sec did about building word lists which kind of includes doing the kinda both kind of approaches and how to use a big query i think i think it's big query to produce them and for i like any of these approaches it's the same send a valid restful endpoint - burps intruder import the word list replace the resource name now i realized if you'll not maybe not familiar with burp you probably don't know what that means but that's fine because i'm gonna cover it in the demo don't worry they're panicking so that's restful epa's let's talk about api versioning now this is another really important step and actually you'll see this kind of come into play a little bit later but sometimes bugs get it fixed in later versions of api's but the drugs keep the order API around with the vulnerability in it so sometimes they get deleted but sometimes they're still accessible but just not used maybe they're there for like you know another thing needs a a dependency on there and they just can't role to update it can just use this one so thanks developers so if we see an endpoint like API version 3 - uses - wand I add there we're gonna look for version 1 because you can guarantee you they fix something in version one that made of version 3 necessary and so what we're gonna do is check for anyway so right we have our endpoints we have everything we can see what are we actually looking for why do I stop what am i doing what day is it I've been in quarantine for a while now so that gives us our attack surface that tells us everything we can look at and this one now we have to take that and figure out one earth are we looking for now somebody's come out kind of recently is the OAuth API security top ten now if you've heard of the Olaf top-10 this is the API version or that created by the robot API security project now they kind of define these top 10 vulnerabilities they're not all necessarily give you like for bug bounties but I'm going to translate them so the first one is broken object level authorization now in bug bounties we call that an idle now that stands for insecure direct object reference and I'll be honest both of them are very unhelpful for humans so they both mean that you can access something you probably shouldn't be able to access because you don't have a mission or you don't have you shouldn't have mission kazan just not enactment right there's no if statement on there just at 2:00 is broken user authentication that's about tokens number three is excessive data exposure which is what we call information disclosure which would be one of the ones we cover in detail because that's a lovely bug for is lack of resources and rate limiting now rate limiting is often clear out of scope for a lot of bug bounty programs and sometimes you'll see it once usually it's out of scope five is another type of ID or which is broken function level or for authorization which is kind of related and talks about how privileges differ so if you have a regular user versus an admin the regular user should not be able to do admin stuff right they should just be able to their regular stuff now then we have mass assignment which is all would probably be since ID well ID or for most kind of bug bounty hunters but it's about being able to put in you know if you've got if you're editing your username maybe it shouldn't accept a parameter called password and then also change your password maybe should just change your username and we'll actually see that in the demo as well so seven here is security Miss configuration gets reported a lot for bug bounty programs sometimes as our scopes sometimes there's not scope the big one is going to be course and that is relates to XSS if you want to know more about that I have a video on XSS which goes into way more detail about what that means and what's kind of happening with how cos is working now we have injection which is our SQL injection rarely seen for bug bounty hunting anymore don't bother looking for developers know how to use MySQL I strip tags number nine is improper asset management which is our API versioning so keeping version one around even if it has massive security flaws in it and just delete it you don't need it and then ten is really about logging and monitoring which is them problem not an us problem so of these we're gonna focus on number one three and five so we'll start with one which is our ID or are in insecure direct object reference then we'll look at an information disclosure or excessive data exposure which is all about kind of working as intended but with unintended security risks and then five will go with broken function level or authorization which is a different type of ID or now why am i focusing on these well what's really easy to demo and explain and number two is that there are also really common like shockingly common this is an example here of an idol in PayPal was worth 10k very common kind of world a lot of money as well and for the most part these are issues that can be fixed with maybe a single line of code in some cases sometimes a little bit more complex but for quite a lot of these it's really straightforward so are you ready to look at specific bugs so the way this is gonna work is I'm going to talk about these two types of bugs the idle and information disclosure and then we'll see it working in practice so we're gonna get all the theory out the way and then go into the practical so if major disclosure I like to think about it as working as intended with unintended security issues I once found a bug that was completely intended but whoever made it just didn't didn't take the next step to go mmm-hmm that would be a bit risky they just didn't do it they just was like hmm I'm having a good time programming this leave me alone so what is it so it's when an API returns too much information for example if you're gonna be booking a hotel room should the API really be returning the names of all the other guests of the hotel or just a number of rooms available and that's really extreme but actually this happens right there are some bugs where they just didn't think about either the consequences of adding an API API endpoint or they didn't think through actually what security issues does that cause I'm being quite hard about this they have a very difficult job and here we have a this example on the right hip where you were just able to let the API like actors if it was a restful endpoint just act as a whatever a get request or a post request weird so what's the recipe to finding one of these so step one is to call the API step two is to look at the response step three you sit back and ask yourself is this disclosing too much information and you might be thinking wow that seems pretty easy and you'd be right that does seem very easy the unfortunate thing is that they're not necessarily always could be hiding in like plain view some API endpoints might be hidden some you might have to fine like looking for parameters to find you know different responses for different types of parameters this one is all about getting recon done and there's so many resources on recon and so many really good resources on recon if you really want to learn more about this but actually quite a lot of the time you can find this book by just hacking just playing around and seeing it's not it doesn't require a lot of technical complexity you don't need to be a super genius to find it it's pretty much a case of stumbling upon it so there's a bit there missing where I call the API look at the response we'll the clues right I need to get magnifying glass out and figure this out so we're really looking for an API that returns back too much info some of the kind of clues we look at look for might be returning a lot of info but actually never displaying it or only displaying some of it so if we're looking at a mobile app and we're looking at the like a physical like interface in front of us we might see oh yeah there's some kind of title and content and the picture but actually on the API if we're seeing it return back I also know in comments where ever tons of stuff in that is not being displayed we might then start to go if like follow our nose a little bit and see where it leads us sometimes you'll see it has a lot of parameters that can suggest that sometimes querying is being done so if we kind of think about i standard database query right how much of that is a developer just gone well I'll write an easy way to have queries in there instead of it being a developer who can be like I'll design this API properly for developers and these are the clues that of API might be vulnerable they're not necessarily like always surefire information disclosure you really have to ask yourself what is a security impact so on that note what kind of skills do you need nothing technical you do not need to be a super genius or a computer science whiz or be able to to exit them successfully to be able to find this bug first one is you just got to keep an eye out for it like as you secure as you start to get into API testing and you do some recon just keep an eye out don't forget that this can be a bug I think about a security risk of what information is being returned right don't just go oh yeah that's fine I guess you've got to make a judgment call is it a security risk could it be used not to help in a larger attack does the target really want this public and that can be really dependent on the target you know if you're dealing with a hotel and I like in my very first example of not sending out the names of one in every room maybe for some things when name isn't really a big deal because everyone has their name public like LinkedIn not a big deal if you can see everyone's name but actually being able to see the name of guests hangout Hotel huge security risk for them like a physical security risk does it return a large amount of data if there's a like if you come back and you can see the scrollwheel excellent side just sometimes you go sit and read it but that's always a good sign that is returning back a lot of things that couldn't just be a great sign that something juicy is in there and just because it's working as intended doesn't mean there's no security risks you know just because the works great works fine oh it just returns just somebody else's credit card information very extreme but sometimes you have to think through the business logic as well like what is this app doing why is doing it and putting those pieces together so that's all about idols how do we find idols now idols are more technically complex information disclosure is like your mum could find it having never hacked before and I will say I go to a Nick club and I was telling some of the older ladies there about hacking and they were getting very into the idea of being bug bounty hunters that I'd be the bug I'd recommend for them there are amazing people they just they would have be hackers it's like I get all black hoodies for Christmas so what is an idol now ID or a really fancy term it's really complex quite frankly if you want to get into bug bounty hunting you better start making your own like little bloody dictionary and writing down you know ID or equals insecure direct object reference doesn't mean anything but it's a thing so ok right so it's a it's a really fancy term but it essentially it means you can access through it you shouldn't be able to access so here we have this user dark blue man who are through his document which is number a thousand now that goes into the database the API and returns back document a thousand which belongs to dark blue background guy and we scroll down here and then he asked for the document number which is one thousand and two now this doesn't belong to dark blue background man it belongs to light green black Wow light green background man and it returns it anyway that is the core of what an idol is essentially and putting another way if your account ID is number four you should be able to delete your own account write delete account ID 4 should work do the account ID 3 shouldn't work it's not your account it's somebody else's account now that's how kind of that's our was it one I think it was that's the best like visual of what an ID or is now we have number two so the other example is that you're a guest if you post ID 4 should work you only have few permissions like you're a guest you can't edit anything you can only view it edit post ID 4 shouldn't work you don't have permission to edit some because you only have guest permissions so these are called an ID or the API security top ten separates them you can think of the same and separate them the testing is mostly the same in this case we're really just testing kind of whether or not there's an if statement or whether or not there's an if statement but with a slightly different thing in the middle so how do we test these and it's slightly different for each one so step one is to find an end point with IDs in the request change the ID and I must stress this to a nother account you own do not test on accounts you don't own that is not OK in bug bounty that would be breaking the law in most countries in the UK it's a computer misuse Act if you're in the the state's Curtin what the US law is don't do it don't do it don't do it don't do it Computer Fraud and Abuse Act computer for a thank you so we change the ID to an account that we own and then if it works we found an ID or that's our three step process now if want to test permissions we then have to account we have a kind of admin permission account and a guest permission account and we basically see if the guest account can hit the admin endpoints essentially and if it works it's Nigel like a lot of these are very simple recipes and that's because actually security vulnerabilities in bug bounty are not about like rté with 30 different steps hitting like several endpoints Seavey's like everywhere it is the very simple change in ID does it work and I wish more people knew that about bug bounty in general because people get quite intimidated by it but actually it's it's simple in the sense that the steps are simple what makes it complex is the fact that you need to figure out a way to keep yourself organized and most they do that for several hours so that's how we find them let's look at some real idols kind of in the wild to see how this plays out in reality like these are bugs that have actually paid out so this is a X at sweet that's it's been submitted to and this app has a functionality you can make tasks so in simple terms what they've done is create a task with user a logged in with user B create a task with user be deleted user B's task and then change the ID from user B's task to use the ACE task so straightforward that's just create two users and try and do something to the other account very straightforward book and you know what this paid out and all of these power even though they seem so if you like deceptively simple actually you don't need loads of technical knowledge to be able to perform these attacks I mean api's these are everywhere right these this is like two types of bugs but actually there are many other books but these are by far the easiest to find so this is another example ID or bug to see hidden Slovo of any user even when you don't have access right and in this one this is our kind of permission based ID or we have two accounts admin and guest use the admin account to create the poll change the visibility settings the guest account can still view the poll by ID via the API users can see hidden polls is that a huge impact No is that going to make you $10,000 probably not but is that your first but your first bounty of course it is it's very straightforward what really makes it more complex and the reason why these reports to be so difficult to read so that there's a lot of business logic that goes into these it's understanding why that might be a problem for example and I've included this bonus one here as a kind of little extra so in this war this hunter was able to find API and the app the app actually had two internal api's with different versions now they found an API endpoint on version 3 but it actually also exists on version 1 apart from the kept version 1 up without fixing any of the bugs and just made a version 3 so what they were able to do is just take every single like bug they found and do it on a version one end point instead of version 3 end point and that's it so this is a mix of kind of broke improper acts asset management the kind of being able to access version 1 still and version the API 1 which is our ID or again so really being able to find a bunch and I really recommend I'll post this in the chat but this is a great report to read if you are interested in API hacking so we know the bugs we know what we're doing hopefully probably not I don't know what I'm doing so let's try and see if we can do it so this is not a real application I made this and that's because I think it's one of the easiest ways to demo this these kind of bugs which I can actually show you them working in practice so you will need run suite Community Edition you don't have to pay for it I promise you don't really don't need to pay for it if you really do want to pay for it I recommend step one get your first bounty step two then put them by birth if you really want to you don't have to so we're using the free version here and all we do temporary projects that burp then we'll be ready to go why have you gone on the other screen cool so I'm gonna do a quick overview of what butt looks like in case you haven't seen it before so this is our first screen here here we have our dashboard and this is the very first thing that gets kind of launched as we start playing with that you can safely ignore this part here because this is all pro features only now the only thing you should really care about in this tab is this one here because this tells you when birth isn't working and then you can do that to Google of it and figure out why birth isn't working I'd love to say that I could diagnose it and be like oh yes I like you I psychically communicated with the software and I know how to make it work hmm so the next one here is target now we don't see anything here and that's because we haven't actually loaded up our pages yet and if I go in here you'll notice the proxy tab is just lit up now if you've ever used API is and maybe you're not overly sorry use birth and you're not even familiar with it I use a property tab for one thing or for two things one is set up two is to turn into set dodge as we can see my lovely website that I spent many hours making has now appeared with some quality under-construction Geocities decor so if we go back to target we can see it's hitting a bunch of stuff here now some of these are going to be CBN's because that's how I'm actually making the software work but actually we only need to look at localhost tip so we're gonna do is we're gonna go here add to scope now this just makes it easier because we can go in here show only in scope items don't press show and hide all it looks so tempting it looks like a button and you need to press it just click off it's fun so this just helps cut down on the clutter now I've got one domain I'm using when you look at bug bounties you might be looking up ten if you look at your who you're looking at twenty or thirty you might have loads of stuff in there so I'm just doing this to help clear out all the CDN stuff because we're not we're not testing that so then we have the cool stuff right this is the hacker peek hacker vibe get you black hoodies out ready for it so the first thing here is repeater now what does repeater let us do repeat requests again while changing them so I go into antar get and I go here I'm like going here center a pizza you're back and you can see this is the request that my browser is sending to the web server so we press send and then we get the ripped once back when we deal with API is primarily what we're doing is this we are going into request we're changing something and then we're going seeing what the response is and then we do it again and again and again and again oh I've already seen people who figured out what I'm doing okay I increase the phone yeah I was I actually don't know I think you'd have to do that zoom in on the Mac those level I think it's option to finger scroll up on that trackpad that's not anything I should be out sit like a slave I all right because I should be able to just change the display usually I just like on my Mac I just like put my fingers on the thing and then I just like literally go like this like vintage yeah that the pinch like and then it sounds so simple but usually if you have a Mac I believe you taught me that Nicky yeah it should work but I think Burt might not support that you might need to turn on accessibility and then be able to do that like gesture he's not readable yeah that's a much better worse right so sorry I I know what it's like of course I know I'm Jake houses computer um other people definitely yeah much better than I do so what we're really doing in but here is we're just repeating requests we might change something this is a very simple get request very very simple but all we're doing is changing off air and then seeing what it does so that's repeater we then have intruder and what intruder does is allows us to do kind of a brute force will go that do that in a second okay but essentially it's a brute forcing tool and these are no joke the only things you need to find these bugs you don't need to mess about with any of the other tabs just these first ones and people see hacking as a really complex thing um but actually the difficulty comes in the kind of knowledge exploitation if you like more than the technical experience then you really don't need to be a genius to be able to do this so cool um let's get hacking right step one we said was to figure out what our attack surfaces and as somebody has sub hammers very sharp and that said it yes chef ham was very good and realized we're already seeing an API endpoint here so we can see here we've got some API we've got users we six so we can scroll down to the response here and see what's inside and we can see their name their email their role aging we don't necessarily know what that means just yet now we could say this might be a good case for information disclosure now the question is depending on the target do we really care right so we go to this software we can see that it's universe generic University view your grades so we know it's some kind of university grade system do we think names are gonna be suit on emails are gonna be super kind of like sensitive maybe not but the question we've got now is well we need to work out what our attack surfaces we've got users let's try some brute forcing so we'll go here and we'll go to send to intruder so all that's going to do is pop it in the glowing tab up here inter intruder and you'll see this has already loaded up everything we go to our positions and we kind of have their squiggly lines I got told they were paragraph symbols I can't unsee them as the samolians from the sims so we have our Sumerian symbols and you can see we've got like CSRF tokens and session IDs so I'll just we'll clear that because we're not interested in testing for those kinds of bugs we're interested in testing the API so we want to test what else exists apart from users so we might go in here and we might change that and add a little Smolyan symbol there and what that will do is that will say add our brute-forcing payload here so if we then go to payloads and we have our list these will be our brute-forcing payloads now I'm gonna ask chat that's right interaction what if we've got a sock if we're testing a web app that has something to do with grade university kind of that University through your grades idea what kind of an employ do you think we're gonna be looking for you will look for a drink the lab admin in that just give me ideas here just throw them out what kind of what payloads do we want in that so pay admin is in that what else are we looking at student students yeah professors faculty pissed adjusted we use the common privilege level word list we're going to focus on stuff relating to the target at the moment okay profile is good clean is good as well remember that this is grades good report schools report schools I like great scripts yeah very transcript year yeah alright I'm going to add classes as well so yeah we can see here how just knowing what a web app might do really does kind of change the way we might approach this now we could use a common resources we totally could there's loads of them but this is about doing stuff that won't take three hours so we'll have our we'll have our like list here and then we press start attacks and here you'll see we'll just this list of endpoints will just get hit all the time now so the free version this is quite limited but you just have to wait you just wait so from our list here we've got we can sort them by status or by the end but let's look at statuses so we've got a 200 on get users 1 which we expect it because we know that's the one we know works we've then got great which is another 200 so we know to exist so what's in here well what do we have people's grades now this person didn't seem to do very well because in the UK 40 is a barely passing grade and we can see some comments about the grade and then we've got the user ID and then the Uni class ID and if we go down to classes we can see well maybe that's not an endpoint oh I know where this Dana the class does exist that's fine so if we go into classes we might find if we do a get request for class ID 5 that will see a class as well right you can use W funds you can use many different fuzzing techniques there's so many if you wanted there's a really good um video by a ham set that goes into wordless there's a very good post by res zero about how he used fuzzing to hit like a bunch of blood bouncy stuff um so we've got great now out of interest do you think this could be information disclosure just do you feel like this is a security risk because I think I think there'd be a very good case for this I agree grades yeah yeah grades is for sure especially because we can get the user ID and the class ID so we can essentially get the grades and their ever every single yeah user now here's the other thing we're going to repeat her to see the requests here and we'll just send it again so kind of get an idea what looks like so on this side over here we have get grade six now we talked about in our API the kind of crud functionality now some of bug bounty hunting is just following you'll note if we remove six are we just gonna get every single grade come on the answer of course is yes you could get every single grade and quite a lot of security especially bug bounty hunting is about following your nose you know you see a six as an ID happens if you don't like don't look at it so okay we cannot get every single grade but as a typical student during our C grades would it be much more interested interesting if we could maybe change them so we know that grade six exists I know that this exists so let's try here and see if we can get a put request to work so we go it's going here and we change get to put and because you're about to put JSON in and I can't stress this enough you've got to add the content type application JSON and you'll be at very upset because an hour before you demo is working again which stops working and then we'll go in here and we just add a little JSON I don't know great now in the UK 40% is our passing grade um so let's make that grade I don't know a parson a UK how about an 80 as you can see we've now managed to change the grade this is a standard Idol like I this is kind of the typical you know this shouldn't work kind of idols because you shouldn't be able to edit somebody's great you might be able to if you're the professor but not if you're not the professor right you should only be able to you agree now know what's the next problem with our web app there we can't really do anything with this there's a login but we don't have a valid username and password and we can't see a registration now we could try fuzzing for every single possible registration thing we could do that all what we can do is we can go in here and we can see just the API endpoint exist for that okay we'll send a repeater again and watching key users - no sorry not users will change ID it's not saying can then we'll post instead and what we'll do then is we might put in content type in here because otherwise it will break if we don't always worth playing with content type by the way if you've ever doing this and like it's not working so I this is one I prepared earlier so I happen to know what all of the endpoints are also all the parameters are now if you don't know what the parameters are you can go into here and remove one and then it will yell at you and tell you what you're missing in my apps case but that's not necessarily always gonna be the case so um I have a new name here and we'll call it call it text an email with me whatever not groups and now we've made this new user does they want to see what the problem might be the app is open source somebody get hub somewhere does they want to kind of say what what the problem might be with adding a user in this way that you wouldn't get if you weren't using the API some developers might be able to guess why this might want work I'm not sure if anybody else might click onto it and because your ID number might not be the next ID so the idea will always been an exciting automatically increment you could just blast away with no rate limiting you can as well you would basically fill up their death there at hard drive we can't actually log on with this user because our password was never encrypted so then when I have we can't actually log on yeah yeah sorry because we don't know their password encryption algorithm and also if they're salting it then it gets mish-mashed before it gets put into the database well our password will be the word test but that would be after encryption I get it so it wouldn't work we would make the record but it wouldn't work yes exactly pretty much like and yeah shabam is correct absolutely attack you can do an account takeover with this the what you can do if you can try and reset the password right you can go into our little app and see if forgotten your password works and because we know what email address we've used we can then try and reset the password and then get it to generate password for us that's one approach now sometimes if you've actually got an API that does actually register this will work fine even though it's a bit kind of if the increase in the if the encryption happens at the API point or if it happens kind of if the API just automatic generator like mine is so yes completely correct everyone say what password you're perfect we're doing great so for the fuzzers if you see - login what else you gonna look for because there's no button that says registration variation oh I know what it is it's register isn't it because you can't you just because you can't see it doesn't mean it doesn't exist so okay we can now make an account so even if we did then make a restriction to the cupboard we can then make an account to gain kind of higher permissions from no permissions do some permissions if you want to an account takeover you can reset the password another fun thing we can do so we know that we exist we know that a post request works we can make a new resource we can also sit here and go well maybe you know maybe we can change your user with sitting here and looking at kind of create a new user we could change the part word of an admin and do it that way or you know maybe we're sitting here thinking actually I'd really like a couple my tracks and not get caught and we can sit and delete our and it's all to an idle like these are all idols and information disclosure and when we look at bug bounty hunting we look at kind of what we're doing we're really going okay now what if I tried this and this and doesn't matter if I'm logged in versus not logged in etc etc so okay let's I'm gonna have a very quick look and show you the code that powers this and show you how simple some of these issues are to fix okay so if you're not familiar with PHP this is PHP I know you haven't seen it since 2008 don't worry it still exists some of us still use it this is laravel it's a very popular PHP framework that's used by quite a lot of web apps and this is the code that powers all of those API endpoints now one of the really easy ways that we can do this is if we go to web this is our routes we can create these exceptions in the routes so if we say didn't want to have you know the route I don't know to edit a user we can just cut it to the except here and there's the list of how which ones go to which we could do that we can go in here and we can add middleware or now we've solved some key idols not joking this literally solved some of the idols if we go now it will now tell us a Norfolk a on authenticated done that's it that's some of them as small as a change you need to make now in I've also done another issue I don't have anyone might notice I don't feel like really Larry well they might not have the default middleware here will apply to any logged in user so if I could make an account doing a cat take over I could then perform the ID or again and I wouldn't have really fixed anything so then you write your own middle work and haven't done that because it's a lot of effort so well what can we do here as programmers we can do one we can add module where you can write a row middle where two we can stop some API endpoints being visible three we can go into each of the controllers and then just do a quick kind of if role ID equals teacher then don't let them update someone's grades so we have the question and the chat yes sorry oh no no I thought you're on a roll I didn't want to interrupt you okay so question if you have the UUID or the the gooood in the API endpoints how can we do ID or if we don't know the victim UVU ID so all you can do in that sense is you can try and delete the cookies and see if it will still work so I'm not logged in and my app doesn't really support it but essentially if you were to delete in this case they'll our About section that's not cookie um and I actually that was also yeah if you just delete the whole cookie you can still get it to fire you can also figure out a way to generate you you like these like quite often there might be an API endpoint to try and like hit it for you yeah essentially like trying in in our case maybe if we was like this one gives us the user ID and the unique last ID even if we don't need them or use them if those were you IDs we could then use that to then enumerate through those api's he has a follow-up question and I'm not sure if I get it so he says yeah but while doing ID or and we get unauthorized then still can we bypass it with some yeah so in this sense so all I've done to this code is add middleware or now if we log into an account here we register an account welcome to it oh my god one two three four one two okay so now we're logged in as a user we can then go back to this and delete user ID sorry oh I've got the wrong cookies happy it's like a fishery so I'm just trying not to mess this up like that okay copy the cooking and now we've managed to bypass that just by logging in to any user so even if we're not authorized to do it that doesn't mean that that's actually set up correctly for our role it just means that they just haven't programmed it correctly so step one if we get authentic case is going to be just to log into any account cool there are more comments in the chat but I'm not sure if it's more like they're just chatting amongst themselves or if they have a specific question for you let me have a look so to answer some of the questions about the laughs for the app the wet comes the Web Application Firewall kind of comes built in to the app for some if they use a third-party one you really should report that to the third-party but if they've built their own like in this sense where they just haven't set up the authentication middleware correctly that is absolutely something you report to the target yes a Sunol is completely correct you can also use XSS to to get you you IDs as well by putting on like poisoned whatever putting being able to hit an API endpoint and then bypass include calls it's quite complex but yes you can do that he is correct are there any other tools if you want to do this the bean fuzz but are all great ones to do honestly just use but like if you can become a master at but you'll be able to find any bug some of them you might need to be able to start ration your own tools you will know when you reach that point lfi and asking you will also work yes and all of that of course yeah I can't forget you don't have to people think you can only use one or the other you can use those it's fine oh ah that was quite a nice some of the features that you have to pay but for Ross that provides for free ultimate tools for API testing I suggest no automated tools when you're learning don't automate it because you will not understand how the actual bug works if you're just running a straight it's far better to understand what you're reading and understand it and then figure out well actually I can do this I could do that because I understand this and then the bypasses far more important if you really want an automated tool you can use string called all trays which allows you to do the idle stuff automatically if you want to ask meat specifically about bugs you found and what an in-depth explanation I recommend you go tweet at me and then I will answer it within the context because then you can be a bit more a bit less kind of you have to worry so much about sharing bugs in in public I think I've caught up on all the questions if I've not answering questions please do I think a lot of it was like people answering each other's questions which is always like totally awesome oh yeah I look like I gotta say my community is amazing because I've never seen more people willing to answer each other's questions right then just so kind and I have a discord channel I've been kind of else I've been kind of act 1 it but I just see people tag me and then other people from my community will just answer in it great there's a good question about possibly integrating postman with burp I don't have the answer to that question because I'm not used it in that way I've heard of that too before and I also have not done it the same here more wordless I recommend creating your own word list whenever possible because you'll very quickly have this kind of little favorite word list that you'll have um so I really recommend doing doing that awesome I feel like you answered all the questions successfully yes that was great you're so fun you're such a fun presenter I love the way you explain things and you make me giggle the whole time yeah I can't type everyone's laughing so I just gotta keep gonna keep making the jokes and if nobody laughs it's okay because I know the name fun that was such a great demo I felt like you broke that down in such an easy-to-understand way thank you so much yeah thank you so much Katie it's great we didn't mention it during the show but in the chat I sent the link to for a giveaway pentester lab offered us a subscription for a month to give away to our people that are listening to the show so we got quite a few entries here so I'll share my screen and show you how we'll pick a winner and you can email if after wit a winner were you done sorry we just like started I could sit here and like explain how my terrible web app but I made in a day is vulnerable to like all kinds and to turn off some of the CSRF stuff to get the demo working so it's very vulnerable to see it's wonderful too so much I could sit here and play around with it Oh exciting I love it it's cute it okay so can you pronounce that for me I hope even recognize names I can't pronounce it yeah name perfect so yang if you could email us at wasp dot no ah stop this slop at gmail.com with the email you registered with we'll send you the link to to register I'll put that in the chat so don't worry about it but that's our winner for today right Thank You Tonya what if we wanted to know more about you and follow you and see your other talks and all your cool lessons why do I have the thing in my clipboard I'm gonna stick all of my social media etc links in the chat right now so if you do want to follow me I'm on Twitter I'm on YouTube I have LinkedIn and I have curious cat as well if you want to ask me a question and I don't have my DMS turned on on Twitter that's because I get abuse if I do so if you do want to follow me on ask me a question and you kind of don't want it to be public just uh well there are too many things sad that people can be mean on social media like they forget that we are humans and there were nice people and we're like looking in our inbox and we're like hoping to see messages like hey that talked it was cool where your slides are like I liked this Thanks and then there's a crime I did used to get it and then I start making YouTube videos I get it all the time Oh some ideas are turned off if you wanna DME site that's kind of private not private but like it might be a bit sensitive um just send me an app like some of your tweet that says please DM me and I will totally DM you it's fine I am accepting the MS I just don't like it when people send me abusive I'll even open fair so I have just put in all of the my kind of social media in chat I don't know that worked so don't read under but if you wanna if you want to add me totally fine yeah I know I'll add everything I have in the show notes maybe a few hours from now so you can come back to the video and see few people have been asking for your slides is that something that your I don't I don't share my slides and that's basically because I don't want to present this and get information wrong and it had my name on it so I don't I don't make my slides public but you can always come back and watch this video I am looking at ways of making my slides as notes and then being able to share the Notes version of them rather than the full slides is literally because I don't want somebody to tell me I watched your slides and you found I think you'll find that you're wrong but actually someone is presenting my slides and gave incorrect information with my name on it which I just can't tell you're not kit like the person presenting is not kidding you know people wish not cool to be out because I don't I sit behind a purple background the entire time I actually I love the little comic thank you I got it I paid someone to do it no it's like can you make it look like me as much as you can like you can try and I'll each I'm just like it looks like me really yeah yeah Kochi everybody can rip a lot of great comments in the chat everybody's thanking you for your presentation and they really enjoyed it so thank you very much gave you've been a great great guest well thank you very much for having me I'm loved doing stuff like this and I love the compliment so please do keep your finger baby yes and all the compliments bikini follow around her YouTube channel and on on Twitter and she she already said where you can follow her so who won the giveaway we set that a bit earlier it was young yen yeah so again yen if you're here cuz email us at asp.net flop at gmail.com with the email you registered with and we'll send you a link to to your subscription awesome so let's wrap this up thank you everyone thank you for being here thank you Katie again that was great and thank you see you next time
Info
Channel: OWASP DevSlop
Views: 24,948
Rating: 4.9504504 out of 5
Keywords: api, hacking, bug bounty, owasp zap, burp, katie paxton-fear, tanya janca, nancy gariche, nicole becher, devslop, owasp api top 10, hackerone, pentesterlabs, hacking api, penetration testing, finding your first bug, web app hacking, web bug bounty, api penetration testing, how to get started bug hunting, how to get started bug bounty, how to start bug hunting, how to learn bug bounties, how to get into bug hunting, how to become a bug hunter, apis for beginners, burp suite pro
Id: qqmyAxfGV9c
Channel Id: undefined
Length: 76min 54sec (4614 seconds)
Published: Sun May 03 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.