Real Bugs - API Information Disclosure

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everybody tcm here back with another video and today we're going to be talking about api pen testing so a couple weeks ago i was working with a student in a one-on-one session we were talking about api bug hunting and how to find bugs we're looking at a pretty popular program that most of you would know if i said the name and we found a bug very very easily actually and i kind of wanted to show the methodology that i was teaching how we uncovered that bug what the bug kind of disclosed etc so you can see what is out there and get a glimpse into hunting these and at the end i'll also provide some resources for you to kind of look at and take this knowledge further if you're so looking to do so with that being said this is a free channel so please do hit like subscribe comment down below uh help us out help us grow you can see behind me we just got our 100 000 subscriber plaque so thank you so much for that and with this being a free channel we also have a sponsor for this video which we're going to get into in a second so please do consider watching the sponsor video as it does help pay for this channel and help keep this channel free so with that being said let's go ahead and cut to the sponsor video and then i'll see you as soon as that's done so today's video is sponsored by glassesusa.com and while this is a sponsored video i am actually a customer of glassesusa.com and a couple months ago when we were going through the whole koba thing and we still are i really didn't feel like going into a doctor's office i didn't feel like it was necessarily safe or necessary so i started looking online for places to do shopping for glasses and i actually wanted a pair of glasses some sunglasses and i found glasses usa super awesome product they can take your order they can take your prescription you can email it in send it in you can email it later even after you order your glasses they also have an app which i'll tell you about but you can just upload your prescription they have all different kinds of lenses and coatings so here's a look at some of the glasses i got but the different lens options they have they've got near vision single vision progressive bifocal and they've also got the anti-scratch uv protection blue light blocking they've got mirrored and polarized sunglasses the blue light blocking actually comes on non-prescription as well and if you're like me you got the peepers in front of a screen all day i'm always in front of my phone or a computer you got to get the blue light so it's really awesome that they have that now in terms of ordering it's super straightforward so you just come in here you place your order and that's really it the glasses are delivered right to your doorstep and they all come with a 14-day guarantee so you see the 100 money-back guarantee a 14-day guarantee free shipping on everything and you can get a refund product exchange store credit there's no questions asked cool thing too is when you come in here and you like click on the website you can say hey i want to do a quick look at this and you can see somebody much more attracted than you are probably in the glasses you can also look at male female the other thing too is you come in here i was having issues with my prescription i could not get a hold of my doctor's office i was having issues so i said you know i ordered this but i can't get it and they said why don't you just use the app and i said the app what's the app you just come in here and you scan your current glasses and it gives you a readout of your prescription so easy it's crazy so with that being said if you are interested in getting any of these lenses you want to check out the ones i've got on or any of the ones i showed in this video go check out the description down below there's also a discount there for 65 off see the details below you can see all different kinds of lenses there's about four or five links i'm providing in the description all do lead to a discount so please do check that out if you are interested all right now on to the api testing so when we talk about api testing we're talking about potentially a few different things but really we're talking about what's likely to be rest api or graphql is like the newer thing here and we're going to take a look today at udemy so udemy.com i'm very familiar with and it's part of a hacker one program on and off but this is a good example just to kind of show how to look at an api and we're not really being malicious so this is okay but i just wanted you to take this in for educational purposes don't go out there trying to hack udemy make sure that they're in a public bug bounty program because they do pause from time to time so with that being said i've gone out to udemy.com and all i've done is add udemy to my scope in burp suite so in burpsuite you can see here in my scope i've got udemy and www.udemy.com when we come to udemy.com this is the basic login after we log in we can see that we have a few different items here you can actually see the graphql i you can see api 2.0 so when you see like this architecture here where there's like a forward slash api 2.0 forward slash contacts blah blah blah this right here this is indicator of rest or restful api and you can see they're actually moving to graphql there could be a version 1.0 of this possibly like we could send this for example to repeater and this is getting a little ahead of ourselves but you could say okay i want to send this request and see what it's saying okay and is there maybe a 1.0 here we'll send that off and see it says 404 not found doesn't mean it's not there it just just quick glance but you could go check for apis when we're talking apis you only get what you see in front of you unless there is some sort of documentation they're providing swagger docs they're giving you postman and you're really not going to see that a ton i don't think in a public bug bounty program although you will definitely get swagger docs in postman files or whatever when you're doing web application testing as a pen tester and if you're in some private programs i've seen this come across too it's pretty rare they give you full on api documentation unless it's a website that has that now if we were going out to udemy we wanted to do some research on udemy we could go to google and we could say google i want to know about udemy api something along these lines we come in here and there's api documentation for you to meet now they've got affiliate and instructor api you can come in here and say okay well i'm an affiliate or what's the instructor get to see and they have a little bit of documentation in here i will tell you it's not that great having built out some bots for the instructor side just for myself being an instructor the instructions are not the best on how to utilize this or any of that but it does give you some ideas some requests you can actually click in here like get course reviews lists and see how to use the documentation so we know already that hey api 2.0 courses course id reviews if we do a get request for this it will tell us the reviews for this so we need a client id client secret authorization header course id page it looks like this is the only one required authorization header may be required for some of these and you can see if we come back into here we would have an authorization in here so we've got the authorization bearer header right here through some testing on this website the rest of these really don't matter udemy has their own headers in here but the only one that really matters is just having this you can pretty much strip all this down but anyway so we're coming through here and we can take a look at this okay so we know there's courses what about public curriculum let's see here that still uses courses what about on the instructor side if we go to get here this one is instructor api v1 so this would be one that's interesting as well and they also have courses so we're seeing a little theme where it says okay there's api there's courses but it's not really telling us much it looks like maybe there's a user one and they don't tell us anything about the user either so what we need to do is we need to figure out what's all here like okay we know courses exist but maybe uh we know context exists and users exist uh shopping cart but there's probably more hiding underneath the hood than what we're seeing and there's a few different ways that we can try to attack this or try to enumerate this to see if there's more endpoints than they're putting out or they're giving us so one way to do that would be to brute force this and that's really what we're going to do here today another thing that you could start thinking about would be something like way back or if you could find the api version 1.0 and find anything on wayback for that wayback urls is a great resource by tom nom nom there's a pl plenty different options out there and this is only scratching the surface and what you can do with api i'm going to give you a channel when we're done here that you should go look at follow subscribe everything because i think it's great and we'll go in a lot more detail than i've ever gone on api pen testing but with this here okay let's say let's send this to repeater and actually let's send this to intruder what we can do is we can take a list and if we come into intruder here and i just say hey i'm going to clear this out and then i want to fuzz on just this context right here okay so i'm going to just add that the rest i really don't care about just cookies and headers whatever and then we come into payloads and i'm just gonna provide it a simple we're gonna sniper this and just see what happens now there are a ton of different options online i just googled cyclists api endpoints this is one that you can use this is a small ish list it's a 174 lines uh but there are line ones that are out there that are like tens of thousands now i am showing you this on burp community and not burp pro so that i can just kind of give you an example it will go a lot faster if you use either burp pro use turbo intruder i know some of you like zap this is just merely an example we're not going to get through all this but what it's going to do is it's going to go in here and it's going to slowly because we're on community it's going to come through and it's going to do checks and you can see that it's looking for something to happen here and if you've ever seen a video you kind of understand what we're looking for before but this is kind of your first time to the channel what ideally we're looking for is a status change so you're seeing 404s i'm also looking for some sort of length change here so i see a little bit of differences this is probably just from the payload size uh in the length if there was something significant that would be ideal but for now we're just looking to see any sort of status change either uh 200 or even a 301 like a redirect anything along those lines to say hey this actually exists but what's happening here is it's coming out and saying hey does api 2.0 access is x exists or account or admin or api even it's going to come through here and search we're only through the a's we're going through a little bit of requests here so i'm just going to let this run but this leads to a bug that i just uncovered in the wild and that's kind of where the story is going so it was not much okay i was just doing some basic fuzzing just in a session kind of like this just chatting about how you can fuzz an api and i sorted by the status codes and noticed something came up so let's take a look at that okay let's take a look at this example very similar in the layout of what you were just seeing where we were doing get requests to an api all i have here is a host authorization header and a connection everything else i've cleared out i don't want any indicator as to who this was or what this program was uh but so you have api and then i was just brute forcing and we saw sms come through okay so sms came through and reviewing the response in the json you can see 25 000 results came back on sms for the api 2.0 sms and you got user user ids ids of the sms itself and then you got title name display name phone number so we had personal information for 25 000 people who i'm guessing had enrolled in this program for sms so it was doing quite a big disclosure here and i immediately reported this the second i saw this reported this to the program and did not hear back but went and checked the program again and it's completely patched so you're welcome i guess um thanks for you know not acknowledging or doing anything um if you're a program like that uh please don't be that way just like i'm not i wasn't in it for money but like just saying hey we we saw your we saw your bug you know thank you so much uh we're gonna patch that right away um because this was just completely accidental stumbling across this anyway uh so with that gripe out of the way this is a a great example of how even the most basic enumeration something that can just easily be overlooked because where where would sms show up you know maybe there's api documentation but chances are there aren't so maybe unless you're registered for some sort of text messaging or alerting through this program then you're just not going to even know this exists so a basic brute force list 174 characters it was over and done in two seconds and within the span of starting to finishing in five minutes of looking at these endpoints just a random brute force we had a bug in front of us you could see now with the the free edition we are getting um very slow results we're at 112 although organizations did come back as a 400. now 400 is bad requests meaning we probably didn't do okay we have a malform request so that tells me that organizations by the way because it's not a 404 that's telling me that this is valid we just don't have the right parameters to request here so we need to change our request in order to make this work but we found a valid endpoint here in udemy's api as organizations being one of them so this list will finish out this is really just the point i wanted to get across is that you could utilize this and easily find new endpoints new things to test different ways to attack an api and this is just again scratching the surface i just want to show you though how basic enumeration can lead to a bug and do so quite easily alright with that out of the way now onto the resources that i promised i want you to go to google i want you to type in insider phd and i want you to go to this channel this is katie pax and fear and she has a lot of great videos on bug hunting apis all this her channel is completely geared towards web app testing if you're interested in this i definitely recommend checking it out i don't know if she has playlists you can come in here and see she does have all different kinds of playlists so you come in here and check this out look there's actually an everything api hacking playlist you come in here and what she can do for you she could show you hey finding your first bug there's api hacking how to do recon etc so i have seen a few videos on her channel it has been top quality i would imagine the rest of these are fantastic as well so definitely something to check out something to look into and to beef up your game especially if you're wanting to learn more about what you just saw how you could take it further i think it's fantastic resource i think she's a great resource and going to be one of the next up and coming uh content creators and bug bounty hunters that we have so definitely check out insider phd on youtube with that being said that is it for this video i'm gonna go ahead and check out the results see if we got anything else still 404 so as always if you like this video please do hit like do hit that bell to get notifications for when we do drop another video of course subscribe comment down below if you have any questions or concerns you want to tell me you love me or hate me it's all the same and also of course this video was sponsored by glassesusa.com thank you for sitting through the ad if you did and if you want to check out the description down below to see up to 65 off of your first pair of glasses please do check that out until next time my name is the cyber mentor and i do thank you for joining me
Info
Channel: The Cyber Mentor
Views: 22,053
Rating: undefined out of 5
Keywords:
Id: X_JTdIkfKow
Channel Id: undefined
Length: 17min 31sec (1051 seconds)
Published: Tue Jul 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.