Hacking/Reverse Engineering a PRIVATE api

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

here's the deal guys I want to create an app and this app that I want to make needs certain data to feed to it I found another app that uses the same type of data and I found out that the data that they use is from a private API and what that means is that no other app can use that data so the problem is I can't use that data unit we're gonna change that companies like this that protect their API is in make them private in my opinion are ruining the tech industry and they're ruining their own companies if you don't open-source your data you don't have free developers working on your app making it better and you also don't have third parties using your API basically free marketing your company so I'm gonna use their data we're gonna go get it and we're gonna hack the API don't try this at home so this is gonna be the plan guys how the app works right now the other app I was talking about let's call this the other app how this works is this makes the request to the private API and what it does is it makes this request and this private API actually sends back the data when it makes that request well here's where I come in I need to play basically a man-in-the-middle yeah that's me I need to play the man in the middle and basically I need to see how this other app is sending these requests I need to intercept the request touchdown and I need to then make my own request so I can get back my own data from this private API so that's the plan so I did some research on what I'm gonna use for the man-in-the-middle and I found this really cool website that actually does exactly what I'm looking for it is called mint and proxy it's a free and open source interactive HTTP proxy features intercept HTTP and HTTPS requested responses and modify them on the fly and it actually does that from your terminal let's do it so I actually want to modify HTTP responses coming from an iphone to my computer and my computer mint and proxy is gonna be the man in the middle so I found an article I wanted to read on medium I just saved it for later intercept iOS and Android networks calls using mem proxy how it works mem proxy sits in the middle of a connection classic man in the middle between your phone computer in the internet I'm gonna go on my phone in the settings of my phone you can go to the Wi-Fi settings and set up an HTTP proxy server it's gonna connect to my computer so all the data going from my iphone to my computer will be caught by mem proxy here is the IP address that I need so I actually am going on my phone right now what you do is you go into the Wi-Fi network tab you can scroll the way down and configure a proxy I go to manual and the server is actually that number you found this IP address right here on your networks tab in your system preferences actually the port is going to be mint proxies default port is 8080 this right here is what you're gonna type into this port all you do is hit save literally as easy as that on your iPhone launch Safari in the address bar and type mint MIT and MIT and IIT so what happens okay see if anything popped up in the terminal oh we're actually already getting get requests so allow iPhone so now that it is installed it said I have to go to my profiles so that's gonna be in general right here mint and proxy okay install warning authenticity cannot be verified don't care hopefully this works now okay so basically now everything should work and I should have my man in the middle set up I'm gonna open up the app I want to use now I'm getting new requests popping in yep there's the app okay we're getting somewhere there's literally an access token right here okay so I'm just gonna search real quick of beer that I like dragons milk white that's what I want right there so this URL right here is what my phone's client it's making to the server so it's requesting data from that URL bingo it responds back with all of this data which is exactly what I want from their API so really the only thing left is now I just have to generate a fake API key and I can use all the data I want and hopefully nobody catches me so I was doing some thinking and I saw that there was the access token that we saw earlier in one of the requests and I'm pretty sure that if you're not using a basic or a bear auth token the auth 2.0 system that you can just keep reusing this auth token that they're giving us the access token and we could just make as many requests as we want with the token we already have we don't have to generate a new one because we don't even need to find out what they're hashing algorithm is so that's what we're gonna try alright so I'm on my phone I'm gonna try trending beers and I'm just gonna click anything solid gold and I'm gonna click find it so let's see if we get that gate call we scroll down okay here it is get find so we see this access token right here we're just gonna try to use this that this call made in postman and what postman is is basically just an API development tool for developers so they don't have to go and make a new code file and call instead postman will just allow us to make a call right here inside of it so we're just gonna make a new request save collection B wrap B wrap save to be your app okay so enter the request URL okay so we have this access token this is the request URL but actually these are all the queries that are in that so basically all we have to do is recreate this request URL and send it in postman and if it works I don't have to make another access token and we win so I don't need all this because it starts at disp ref all right we're gonna go up to the latitude right here so if I hold ctrl I can copy this they're going to postman paste it I'm gonna get rid of this longitude number because it's not fully done into the terminal get the latitude number bring it over here boom what's next we got the mode and radius equals 10 and access underscore token equals all right this is the moment of truth if this access token works here we go we bring it back into the postman mamby and we just send it oh my gosh code 200 I can't believe that actually just worked I can literally reuse this access token I can't believe a huge company like this would even have something so easy to get into this is the sickest thing ever so what do we learn here today guys well class let me tell you we learned here today that you need to protect your API is better because they're too easy to hack into alright that basically wraps it up for this video guys I got an app to make and I'm sure you guys got something much better to do so if you enjoyed this video I don't really care what you do maybe share with your friends whatever comment like yeah until next time

Info

Channel: chriscodes

Views: 47,999

Rating: 4.7790399 out of 5

Keywords: hacking, reverse engineering, private api, api, devon crawford, devon, crawford, hacking/reverse engineering a private api, reverse engineering an api, hacking an api, hacking api, reverse engineering api, how to reverse engineer an api, how to hack an api, hacking private api, reverse engineer private api, reverse engineering a private api, hacking a private api, chriscodes, hack api, hack private api, reverse engineering private api, reverse engineer, hack, engineer api

Id: Fa1zlLEGPtw

Channel Id: undefined

Length: 6min 35sec (395 seconds)

Published: Thu May 09 2019