Live API Hacking Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

is that my wife so what happened is YouTube wouldn't actually let me stream to the first link for some reason it just like full-on they did not does not work I have no idea why I don't read I'm doing with with YouTube so I don't really know what happened the entire thing is but hey everyone um Wow it's nice to see you all wow so many of you hi hi welcome to my very first room I'm this is so we're gonna cover some cons yeah press around and please leave me alone we're gonna cover like a mixture of stuff here I'm gonna show little bit of code analysis I'm gonna show you some more API books and it's really gonna build on what we were doing last time to really look at like different ways of hacking so my video this week is going to be all about what kind of bugs exist in api's but this kind of this stream before you watch it is gonna be way more about like testing out those books so hey everyone welcome so there's going to be some audience participation so be prepared to have a chat with me and let me just get up in there so I know which order I'm supposed to be doing things so setup wise I'm going to be using the vulnerable application I showed in the previous API enumeration video just because I already made that and that took me a long time to make yes the stream is recorded I'm recording it locally as well not just like relying on YouTube's don't trust YouTube but yeah so let's get started so I'm going to start here with Burke Street Community Edition and Firefox now I use Firefox because it's actually one of the easiest ways to kind of separate out your web browsing has quite good proxy control but for me it's because I don't use I use Chrome and Safari usually and put that there there we go so anybody who watched the last video you'll be familiar with generic university lorem ipsum inspiring words I'll be familiar with this this set up so here's what we're gonna do the first thing we're going to cover is we're gonna sort of do a recap of API enumeration you guys are gonna tell me how to enumerate this API how do we figure out what endpoints we have access to then I'm gonna show you some books so I'll show you some information squares your idols and then we're going to be talking about some authorization authentication issues so I'm also gonna give up the code there and I'm gonna show you why this code causes some bugs to give you a kind of little bonus for showing up now this likely is gonna be like literally less than an hour of content after that you can go and watch my video on API enumeration and then after that those ma'am Nahum car there we go so everybody how do we need more api's what is the easiest way to enumerate an API what kind of word should we use let's get let's give up this side with what what we're looking at here is all one said using FF UF yeah that's a great way to do it but if you see my API numeration video you're probably already familiar with the endpoints in this API so given that do you think it might be better to use FF UF or burp intruder what kind of strikes your fancy here well I'm doing here is just showing you only in scope items just to clear this up a little bit so you don't see like all the random requests Firefox makes it's a great question how do you actually find an API in in a website the easiest way is to look for the word api api often you have this kind of defined structure so you'll have slash API slash v1 slash whatever that's a really good way to there's an api stream is being safe Jess and Oh raise my voice in my bit too quiet sorry I'm not very close to my microphone it means I can't see my screen so hopefully that looks okay cool right so we could use f fu F but because I haven't got that demo set up this is quality quality educational material or we can just use burp intruder so does anyone want to kind of talk me through like how you would set up burp intruder for this you can see the f fu f demo on the API enumeration video that I go into much more detail about how to use that and stuff hmm although there is an issue with that that I've messed up one of the commands so I'm gonna have to do a redo of the f fu f demo with everybody suggestions on how best to use it everyone likes that if you're fine you know what doing it live it's where did I put it oh I put it in I got this videos API oh it's in recon alright you guys want to see some FF you F let's do F fu f all right points to somebody who can points to somebody who can tell me what the command is for F f you f to get to enumerate yes and the API uses great Waddle points for you so we'll send this to intruder and I'm going to ask for it because I'm going to need a word list for both so tell me what we should test so what API endpoints are we looking for do you want to do excellent - who said that ignition lab someone's been watching my videos so we're going to need a a list a word list and because we know that quite frankly the other API yeah I can see someone spamming chat I don't want to give them attention I give them a timeout quality right I know what I'm doing users yeah users we're going for API users won't give it a little smoly and marks but can people please send what you think would be good API endpoints to test for now we know that generic University here its University and we can see you know view our grades so when we write our own word list we should be thinking okay what is this likely to have now we could go ahead and use something like set lists the problem with cyclists is that often API endpoint sorry specific to a target so we are going to be looking at you know looking for stuff like admin however you know our thing might not have slash admin and that really means we're at a disadvantage because we can't access that yet class is great great API and I'm actually going to do this in a little notepad notepad plus plus not notepad plus plus I want boring notepad yeah now nouns are great actually any kind of nouns class classes three students got students again I will go admin here because admin is always something worth checking for even if we don't find anything Mark's love it will go to university as well just the best way to find a hidden API is going to be to hit every button and hopefully you hit one or search for literally slash API and see if there's anything in their subjects teachers grade book okay I'm gonna stop there okay so this is gonna be our enumeration so we'll sit here and we'll go into intruder so we've got our target is our website here our positions we put the little summary in sign under users and then we've got payloads here so this is where we want to put in whatever payloads we'll have so we want to go copy these and just go paste and because I'm lazy you can do this with cyclists as well if you go to setlist raw you can just copy and paste it and you don't need to download it just especially of doing YouTube videos and you might accidentally load up like confidential files um so we'll start the attack just go check this is gonna be visible actually okay cool and we can see that intruder is hitting all the API endpoints and we're getting a mixture of 404s and two hundreds now 404s mean that it doesn't exist so we can safely say if we see slash fluorophore it doesn't exist right way I actually want to look for it without the six as well so what we're seeing here is we're seeing classes and grades exist but actually none of these other ones do oh and nothing exists as well as just our regular users yeah so we also want to test it with slash one so to do that we clear that was by Neelix yeah so we'll add a little summary ensign there go to payloads we can change our payload here to be numbers and we can do numbers from 1 to 20 and a step of one and that will then do the attack testing for different IDs now we can also do another attack so we can go in here go to positions clear that and do our first attack with just API users and not anything next to it now in the restful kind of API endpoints we see a kind of slash then we see resource name and the root of that were it's not got a number at the end often returns everything in that so we'll do that as well so we'll go to API users will go to payloads we'll go to our simple list at the top and we'll do this attack again and this is quite often what you end up doing with API enumeration is that you end up kind of doing a bunch of these different intruder attacks or using FF UF as you learn more about how an application is built where's a chance that YouTube the website is showing a custom status code pretty rare API paths singular or plural so it can be either way a lot of the kind of paths for API specifically tend to be deserted designed by a developer so quite often it will be whatever the developer put in I think I do mine plural because in laravel you do your you do it by whatever yeah the HTTP yeah you call them admin controllers and stuff class controller dashboard controller grade controller and every every single time you reference it is with like a singular so if you have multiple you out measuring double don't know it's my style thing yes you can use the cluster bomb example as well to answer that queue and yes this is going to be saved on YouTube maybe I should add like a little thing on the bottom that says yes this will be safe to YouTube so we've got all of that now what we do and you API enumeration is we want a hunt for bugs because just doing API enumeration is not necessarily going to find us bugs so we'll have a look at this and do you think that list of users is this this kind of email and name do you think that returns that would be count as information disclosure just your own kind of opinion here do you think that's worth reporting or do you think we should wait until we find something more interesting just gonna I'm gonna tell you up so you can actually seem a little see I worked so hard on this little layout feed you done perfect now it's even worse no you should wait yeah so a lot of the time when you see emails emails don't necessarily count as information disclosure if it's not disclosing was in true shot yeah three if it's not disclosing any kind of personal information now an email address is often to the public nowadays and we're not seeing anything in there that suggests a password so we really should kind of sit on this for the moment because we can find more impact Vishal is completely correct there's actually if we know that this API endpoint is not that protected let's go deeper what else can we find let's not stop it reporting you know a low-risk wonder ability let's go deeper so what about this one so this is a list of grades and we can see the user ID and class ID and the grade they got and some comments is that going to be information disclosure do you think excellent observation model with realizing role might be an endpoint if we see role ID we should definitely also be checking for role and we can do that by just sending that to repeater going here role s okay so I would say personally that if you see something like grades that would be kind of information disclosure because really knowing somebody else's grade is pretty bad right it's not it's maybe not really vulnerable like really really bad but it's pretty bad like there's a lot you can do with someone else's grade but let's go deeper what else can we do as an API we can get the information out what else can we do so if we look at our like crud functionality create read update delete but IEP I can do where we're on read at the moment so what else can we do what can we do that's a bit more interesting now this is our endpoint again I've just put it in repeater to make it easier to see I don't yet but what kind of idle like when we think about bugs it's good to use the bug class name but actually it's better when we communicate with especially like the people running an bug bounty program to sort of talk in their language and be like actually this is my door but more importantly it allows us to do this your business logic delete yeah Mohammed is completely correct we could try and delete them what might be a little bit more fun though yeah edit yeah let's try and change a grade so right here we've got two API grades and we're just gonna set up editing a grade now well we don't really necessarily know is how we need to set up editing a grade because we don't know what it needs inside of it I'm so used to using a Mac I keep on pressing alt on my Windows PC instead instead of control to paste things so I put requests instead of a get request oh that's a great idea to use options so yeah ignition lab put definitely correct and we'll put in so we could try and sit here and try and put in a bunch of different payloads we could use our John to find out okay what can we do what do we have access to change but actually it's quite straightforward to just go in here say it's sending us JSON we'll send it JSON back so we'll go here we'll put in content type JSON that's really important when you're interacting with a JSON based API you can't send JSON unless you tell it the content type is JSON and it's really easy to make miss and Ivan who lost bugs because I haven't done that so we'll go sets to a specific ID let's go ID one and all we want to put here is a very simple little JSON object same format as they have it but I cannot hit grade 12 and then we'll send this ID and we can see here we've got grade 12 now I put in the same one let's go 120 and we can see that the grade is being updated such great now we can edit a grade now what class of bug would this be does they all wear tell me bonus points of you can give me the blue team name for it I'll give you extra brownie points I guess I don't really have anything of value to give and I'll show you what code actually causes this and why it happens because one thing that's really cool especially is you become a bit more experienced is to be able to read code and figure out you can do this without even deploying an application yet hammer is correct it's an idol now specifically it's an unauthenticated I know we haven't got an account on here Neal X is correct Mohammed you're also correct so this might also be considered using math assignment because should grade be able to be edited by the API we don't really know so okay why does this happen what happens here now the way my code is set up here is I have these controllers now if you're not really familiar with web development don't worry too much because basically all these do is contain code now if we look here integrate controller and I scroll down here we can actually see that in here we don't have any kind of if statements to check if the user has permission to access something we kind of have this default code if we look here we can see that actually if we update it as long as is as long as the resource exists then you know we don't have we don't have an if statement here and to fix that bug all you'd need is an if statement here and this is why idols are like ridiculously one kind of silly that they exist because all we need to do is put an if statement on line 34 covering two line 39 and actually this looks like a lot of default code and when you deal with default code you really need to not do that you really need to instead of doing like a default stuff you need to be looking and checking what it does so that's one kind of way now one thing we did see is we saw here slash admin and what we get if we go to slash admin from our earlier recon activities is we get the term unauthenticated now can anyone tell me what the difference between authentication and authorization is if anybody if anybody knows no or if you don't know but if you do know please do share it with everybody else you have to put in the content type Mohamed because if you do don't laravel won't accept it because it won't accept any JSON data it doesn't include the header for content type I wrote this because I spent so long thinking this API didn't work and completely forgot to add the content type header in and no joke it took me maybe four hours before I realized my API was actually working when I was developing this I'm a bit of an idiot sometimes excellent answer Oh God nish nish if yeah sure NIT nish it is I've got a great answer their authentication is who you are authorization is what you can do so if this says or unauthenticated we're gonna be looking at creating an account because actually if we create an account we might actually have access to this resource because we're not unauthorized to do it right we're actually unauthenticated so how do you think we can create an account or access somebody else's account I'm kind of curious there's a few methods of how to do this so I just want to kind of what what ideas do you folks have if we go to login that won't work because it's a saved thing from an earlier test we have an email address a password the URL is - login we've got login forget password you guys have excellent answers to their shoes oops brilliant oh yes so Ruth said Christy security I'm going for that is correct the first thing we should be checking you know just because we can't see a button that says register doesn't mean it doesn't exist we can go slash register and would you look at that no one actually hid it sans got another good one which does account takeover so does anyone have an idea of how you might do an account takeover with what we already have I'll explain it anyway but why lice or register an account if anyone has any ideas about how to do it I make an account here yes we'll make the password really secure P a s W o R T no one will get that password great so we have our account now and if we go back to we know that admin exists so I'm just going to go back to users yeah forgot password absolutely now one of the kind of main wasting an account takeover is read to abuse the forgot password mechanic because a lot of the times with like stuff like API is if you change the password it might not actually put the password through the password algorithm so really actually we could try one of these passwords all these emails we know exist put that in forgotten password and then see and see if we can get it back and other messages we can actually change their email address to us to our email address and then get their password back now that's a bunch of different ways you can do it's not necessarily always gonna be that particular account takeover but this is a great way of thinking about how we might come across how we might do this right so we have an account let's see if we can access slash admin now ah secretary you wanna roll here you're gonna get into my fitting before I get to it so if you press send you will say unauthenticated why is this saying unauthenticated what have we missed here and you're absolutely correct yeah math assignment one of the big risks is going to be the fact that we know that we can edit grade here can we also edit all of these other ones if we use her like Arjun we're gonna be capturing every so everything we can access and I actually have I will share with the class here this is a result from Arjun on this database so we can see on the user's endpoints so you can see we've got email method name and password are all what we're able to are legitimate parameters so one approach would be then to go change the email forgotten password you don't even need to be capturing tokens you just changed password I'll get the change password and then change it right okay does anyone yes the video will be available don't worry about the video not being available it's fine you are okay so I don't see anybody saying why this request didn't work I don't know if that's just because I'm far behind I think I might be so the reason why this doesn't work is because we haven't actually changed the cookie here all we've done is use the pre-existing cookie and this is not the authenticated cookie so if we go here to our proxy HTTP history we can see here it's a new that's the new cookie when we register and as opposed to I don't tend to use the target tab and use the sitemap very often I tend to mainly focus on using this because it goes via time rather than via like how stuff is set up so we're going here we'll go to send to repeater and then we'll go slash API admin old people then yeah validating the cooking excellent job everybody so we've got it right so we what what we're looking at here is the difference between authorization and authentication all we had to do was create an account to be able to see the admin so what code really causes this as we go in here we go into which one is this which end point oh it's happening yet admin controller and we can see here there's still no check for if we have the right role for this now one of the big things that we kind of come across on with bug hunting is that we can't actually see the code but often code is written in a really lazy way because what this person has done to get the unauthenticated error is we go into I know a lot of people aren't gonna be necessary familiar with laravel to be able to fully appreciate but how amazing my programming is but here we can see that the admin routes have been given middleware or it's not checking if we have permission it's just checking that we have an account so that's the code that causes this now we can see here this is giving us some documentation and we should always be paying attention to a website or a target when it gives us information because it's giving us free free information we don't have to recon we don't have to stress out we've got it so because we're fantastic people we see the endpoint delete so we're gonna go slash delete and we'll chat send and it says permission required now this is our authorization now we have a role we don't have the correct role where a lower-level user and we don't have permission to access high-level functionality so a lot of people are saying role ID that's what we need to change you know if we want to access this we have to change our role ID how do you think we do that it's just the cookies are the default laravel ones I haven't done anything to these they might be base64 encoded I'll check yes they are basically four encoded those your answer sale good spot though I didn't even know so better eyes I'm better leak news for for bug hunting that I do apparently alright look at repair yeah yeah put so we Mohammed's cracked we want to go into our users here and we want to see if we can edit our own user ID so we'll do another request here and we'll go here and we can see what ID eight so we'll go users eight and we know that this should already work because users six work so users eight must also work now you can see at work so again we're gonna do are put hair content type application JSON and I can't type it so it's in my notes and we're gonna go here and the same thing we're just gonna go role ID how do we know which rata lady to change it to would you would you folks think how do we know if role ID one is always going to be the admin account how do we know it's not role ID three four five six yeah no junkie is correct the best way to check this is really just gonna be API rolls and see what's in there right we the idea of using a restful api so we actually learn a lot about what's inside of inside of like the API just by asking for it so yeah we'll go change to roll ID one because that's telling us as administrator account we don't see super admin we don't see like IT sometimes you won't necessarily see admin but yeah we're all I do you want so if we change this we can see that now ID eight has roll ID one which means that we've gone from being a regular user to an administrator that's great right we've got that kind of privilege escalation now so we go back we go back to our original kind of admin endpoint here we go oh there it is yes so this is our permission required end point can we delete everything does anyone want me to delete everything would you would you folks think do we ruin mister who's the IT guy Devin Paris uns lovely under construction Geo city's website would you think death to the website cuz I feel dumb pauses of silence I know I can name the tabs trust me this is exactly how I act normally it's a lot of tab 1 to 64 yep you're absolutely correct you know saying peer Pyrrhic if we're bug hunting we never want to do something like that ever now one of the reasons why we don't is because that's really bad we don't delete some poor some poor sods a database right as much as a hacker incidents like burn it to the ground it's dead to me I love that energy actually really what we kind of want to be looking at is saying we'd then report it at this point we'd report it as they look I can see this endpoint don't touch it if it's going to destroy the website because you won't get a bounty for that you'll get someone on the other end that's got a really big sad face especially as I think this endpoint says it's unrecoverable but because we're not playing good hackers today we're going to eat the entire database because why not so the database is gone is deleted we can now go back to users hair change that to get did not put enough space after that okay we can see that the only user exists that is us and everybody else is it's gone yeah he Chan is completely correct we would if we wanted to test functionality like that we really been looking not for the Delete all button but perhaps creating another account and deleting that your second account you never wanna be pressing buttons there's like delete everything and because we're also with good people with a regular store to bring the database back from the dead we can see here that we now have all these other users so well what have we actually demonstrate it in this kind of demo the first thing we've demonstrated is information disclosure we've also demonstrated idols we've got a permission idol or we're looking at being authenticated as a user but not authorized to do it we've then got sorry we're then looking at privilege escalation but you know take our user account from a regular user to an administrator and that's all they are kind of they're all bundled together we don't see these kind of distinct lines if this is a bug and this is not a bug so that's really the end of the demo I'm just gonna answer the questions in the chat so Pyrrhic and owl ask the same thing which is really how do we know that we can actually delete everything without trying it you usually wouldn't delete everything okay the reason why is because you would see that and panic what you would do is you'd report that by just saying look I can see that endpoint if it doesn't do anything it's turned off you will usually just get asked to like self close something without without kind of getting any hits you're like reputation on half bugcrowd if you communicate directly with a program as well you see anything that says delete all if you're not sure what it does don't press it there's ways of doing the impact where you communicate with a team bitch'll asks a put message is really where you are absolutely correct it's very rare to see put used anywhere because put requests tend to be defaults for a lot of api's and in fact the way laravel implements them if I could if I could do this quite quickly for you I don't think I have the example one that's fine is we can actually post to API users we can put a post request it and as long as we have method or underscore metal sorry oh it has to be ID doesn't but on laravel you can use you can use a method to get a put request in which is how you would do it on a webform yeah how would you test delete that's a good that's a really good question make a second account like if you're not sure about something just make a second account never test accounts you don't own do have anything a pipeline for doing fuzzing techniques via postman so nothing about postman because I think proton is a little bit complex all I want to demonstrate on my youtube channel do use it but main actually surprisingly enough mainly for web development and hitting API endpoints when I can't actually see them however I do have a piece of research in the works about doing API enumeration doing like smart API enumeration so don't tell anyone all have many of the route 101 droids of 37 of you wow that's a lot of you have yes it will be on YouTube don't worry real good there's some cool stuff coming I'm hopefully gonna have it done in the next few weeks but it it's like it's some machine learning stuff it's gonna be really exciting I'm looking forward to sharing it with everybody especially cuz it'll be the first kind of thing I released that's outside of the kind of beginners fair and more towards experienced researchers but I'm hopefully going to release it soon uh do you recommend our Jonah para minor you can use whichever one you like I'm never gonna tell you what you can't can and can't do and you can always do whatever you like if you use para minor and you like it more just use it there's nothing that says one is better than the other I used both and I decided that I preferred Arjun because I thought it's written in Python I know Python I can change it I can make adjustments to it I'm happy with that if you prefer para minor let's find try books that's my recommendation is it this one I think I have it on my like hacking on like my main hacking laptop I don't think I have for a minor as dog no I don't oh one really fun thing is that actually on this application I didn't include it in this demo but it's possible to do an SSR F on it as well I'm not telling you anything about the tool it's a it's it's I'm not I'm not sure when it's gonna come out or how it's going to work 100% yes yeah but it will be doing some lovely API enumeration especially for restful api is that we don't necessarily know the endpoints for thank you very much for your comment basil I really appreciate a lot of people it's really difficult to make youtube videos I'm going to be honest if you want to make youtube videos you go right ahead it's hard work making YouTube videos okay but hearing comments like this really helped me this was really useful I really like this it gives me like the motivation to do this even though it's hard it takes up a lot of my time and it makes me feel like actually I'm contributing to make really great to this community I will be watching the ham con keep an eye on me in chat I'm gonna catch it as soon as it starts hopefully I'm really looking forward to Tom nom noms talk on word-lists and I'm also really excited for Sam's talk on the game like hacking online games really excited about that one so if you see me in the chat do say hi please don't ask me any questions it's not my conference oh yeah I'm really I'm really happy that I was able to get spots with my video because it means that I've been able to invest in the audio setup so I have like a proper microphone now and the audio sounds so good like I can't tell you I couldn't listen to my own recordings when I was doing the like USB microphone stuff cuz I just sounded so weird but actually with the decent one it sounds pretty good yeah one hour for the hammock on the fix for the idol books let me show you that the real fix for it is in the controller's head HTTP controllers if we look at admin controller we can see here and literally just checking the authenticated user has the roll ID of one I don't have time to xsrf at the moment there is a s ra s ra s s RF bug in this so if you find it and actually if you find it in my if you deploy my application and you find it you tell me how to do it I will give you a prize if you want to give it a go if you can if you can tell me how to do the SS RF so I'm gonna call it there folks because I want you to have time my video is out in ten minutes it's about top ten API bugs we're going to go over some of the ones I went through on this but also some other ones so please do watch that if you'd like to watch it and you know perhaps Nahum Khan is in an hour do watch that as well there's really good talks i 100% advocate even if you don't understand something to still watch it and kind of understand not really like fully Bale to appreciate what's happening but be able to understand kind of what's happening and what you can do so thank you very much for watching my stream this went really well so I'll probably do more of these it'll be great to do some online labs with you guys and really do the kind of interaction where you can help me hack something I'm also really hoping to do some actual life hacking but I'm still trying to figure out how to do that without breaking confidentiality whether that's like full face cam all the time whether that's like second screen

Info

Channel: InsiderPhD

Views: 21,464

Rating: undefined out of 5

Keywords:

Id: cWSu2Ja65Z4

Channel Id: undefined

Length: 48min 10sec (2890 seconds)

Published: Sat Jun 13 2020