No video :(

How To Do Recon: API Enumeration

Подписаться 80 тыс.

Просмотров 59 тыс.

50% 1

This week we cover how to do API enumeration/API Recon. I show you how to find new API endpoints using tools like Burp Intruder and Ffuf, as well as how to find hidden parameters using Arjun. Including how to act on this data and use it to find bugs!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
This episode was due to come out next week, but due to popular demand I have released it early for you folks, hopefully, you'll have some good data this week that you can hack on next week! Sorry for the references to next week's video! In this video we go through some theory first and do a little refresh on what an API is and how they word, then we go into the theory of recon before I do some live demos hacking on a fake API. I'd love to have done this video on a real bug bounty target, but with recon there's a lot I could miss or disclose on accident!
Do you want to support me? Why not buy me a coffee? ko-fi.com/insiderphd
Got questions? I have answers, Tweet at me / insiderphd
Timestamps
0:00 Introduction to the video & catchup
7:29 Introduction to API enumeration
16:15 Easy API Enumeration
20:01 Creating Wordlists
25:05 DEMO: Burp Intruder
35:07 DEMO: Ffuf
41:38 DEMO: Arjun
48:27 Analysing Arjun results
50:07 DEMO: Practical bug hunting
Commands I run
- Ffuf: ffuf -w wordlist.txt -u 192.168.1.11:8000/api/FUZZ/6 -o output.txt -x 127.0.0.1:8080
- Arjun (-x parameter sends to burp, ignore if you do not want to send requests to burp or you use the original version): python arjun.py -u 192.168.1.11:8000/api/users --post -o data/result.json -x 127.0.0.1:8080
Links to the stuff I talk about
Example APIs
- My Fake API: github.com/InsiderPhD/example...
- Twitter: / api-reference
- Facebook: / graph-api
- Yahoo: developer.yahoo.com/api/
Tools
- Ffuf github.com/ffuf/ffuf
- Arjun (my version) github.com/InsiderPhD/Arjun
- Arjun (original) github.com/s0md3v/Arjun
- Arjun dockerfile gist.github.com/InsiderPhD/f1...
Videos
- Finding Your First Bug: Finding Bugs in APIs • Finding Your First Bug...
- API Hacking for the Actually Pretty Inexperienced Hacker • API hacking for the Ac...
- Finding Your First Bug: Manual IDOR Hunting • Finding Your First Bug...
- IDOR Hunting With Firefox Containers • How to Use Firefox Con...
- (Nahamsec) Creating Wordlists for Hacking, Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More! • Creating Wordlists for...
Wordlists
- SecLists: github.com/danielmiessler/Sec... & github.com/danielmiessler/Sec...
- Fuzzdb:github.com/fuzzdb-project/fuz...
- SecLists Raft Words: github.com/danielmiessler/Sec...

Опубликовано:

8 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 142

@InsiderPhD 4 года назад

Hey everyone! The Top 10 API bugs referenced in this video will actually be coming out next week, so you could do some recon over this week, and start hacking next week :) If you want to learn more I can recommend this resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm but expect that video next week!

@hemanth1260 4 года назад

Really great content and i can understand how much effort you have put in to get this content out , Thank you for helping the community

@InsiderPhD 4 года назад

My pleasure! I love this community and I think it's my duty to give back to the community that helped me!

@danielwilcock7007 4 года назад

Amazing video Katie. Please, please keep this up. Your content is really helpful. For many months I have been a lurker watching guides and methodologies, then load up burp and impostor syndrome kicks in before I begin. Your content has actually allowed me to finally try to hack. Very simple and friendly!

@InsiderPhD 4 года назад

Thank you so much! It's going to be hard but you can do it! Just keep trying!

@mid-julyenglish1782 4 года назад

This is totally what I was looking for and here you just upload it. I am blessed. You blessed. Thank you and keep going.

@InsiderPhD 4 года назад

You're very welcome! Happy hacking!

@mohittirkey7889 4 года назад

Amazing video Katie on the API enumeration , we can also use cluster bomb settings in the burp intruder as follows Payload Set-1 -> HTTP Methods like OPTIONS,GET,HEAD,POST,TRACE, DELETE etc. Payload Set-2 -> our wordlists

@InsiderPhD 4 года назад

Great suggestion! Especially with route api endpoints like /api/resource I think checking for additional HTTP methods is a great idea

@TheJDebski 4 года назад

Your videos are so great! Thank you. Definitely my favourite channel about bug bounty

@jonoheath4221 4 года назад

Thank you so much for your vids I am finally starting to get my head around APIs thanks to all your stuff. The hunt begins this weekend.

@PizzaParker-EAB3524 3 месяца назад

Doc, thank you so much for these videos. As a new comer to bug bounties your videos have been a lifeline.

@arpeetrathi 4 года назад

Amazing as usual. Keep posting once every week❤

@InsiderPhD 4 года назад

Thank you! Will do! See you next week :)

@zoroatokpas8761 3 года назад

Watched this video almost like 4 times still learning things

@aaryansaharan127 4 года назад

Really good content . You actually make videos with all dedication( I feel). Really you deserve very big thankyou!

@InsiderPhD 4 года назад

Thank you so much 😀

@PedroPerez-ii4dx 3 года назад

Thanks for such amaizing content. Trying to understand all this it's like an old saying from where I grew up "The hope of the one who grows coconuts". (meaning that sometime times look like a never ending goal)

@LeonidasDAce 4 года назад

I have found an IDOR 4 days ago but I didn't knew it was API based until seeing this video. Thank you so much Katie for this wonderful explanation. Learned a lot of things from it.

@InsiderPhD 4 года назад

Congrats on finding an IDOR! Was it your first bug? Glad I could help

@LeonidasDAce 4 года назад

@@InsiderPhD It was by 3rd bug actually. But i got my 1st 4digit bounty from this. Thank you so much Katie. Keep sharing things.

@InsiderPhD 4 года назад

Leonidas D. Ace wow! That’s incredible fantastic job :)

@LeonidasDAce 4 года назад

@@InsiderPhD Thank you Katie. Will be waiting for your next video

@freeguy37 3 года назад

Really it's a very helpful video and yes, your all videos are a bunch of knowledge!

@danyelvillalba7 4 года назад

Thanks Katie!!!! I love your videos, please keep going with videos like this, Great content

@InsiderPhD 4 года назад

Thank you! Will do!

@00eunderscore70 Год назад

Awesome! Im a bit out of date of this one but appreciate these kind of videos!

@helalsadat2077 28 дней назад

I have watched the Full video , Thank you very much Katie , I am Regularly following this playlist of API Hacking

@IteLuis 4 года назад

Awesome content, I hope you are doing great, keep it up the great work, cheers!!

@juul216 3 года назад

Thanks, the audio is very clear

@DanielCamargo81 3 года назад

thanks a lot for sharing your knowledge, that is amazing!

@kishorebolt3065 4 года назад

You are doing great

@InsiderPhD 4 года назад

You're so welcome!

@3rdaaa 4 года назад

Thank you so much for your video katie! still searching for my first bug here, hope to find it soon!

@InsiderPhD 4 года назад

Good luck! finding your first is all about preserving!

@emmanuelchinedum6998 2 года назад

Did you find yet?

@zynnewton8687 3 года назад

finally i saw a interesting video in yt... this channel is very interesting and knowledgable i keep watching in your videos hopefully you create more vids in youtube that helps for beginner like me... im from philippines i have alot of question in my mind and if thats okey to contact you its an honor for me. :) your fan from philippines. godbless.

@GonzoRust Год назад

you inspire the world. keep up the good work

@souhaillepacifique7572 4 года назад

hello woman ,i've just discovered your channel amazing content thank you and keep it up

@InsiderPhD 4 года назад

Welcome! Thank you for enjoying my content!

@abhhibirdawade9657 4 года назад

amazing katie as always............

@cehdinh5132 4 года назад

Hi katie, thanks for great content in vidieo. This asw, wait next your vidieo 😍

@InsiderPhD 4 года назад

Yay! Thank you! It's really nice to hear such kind feedback, thank you for taking the time to let me know what you thought!

@0x2shadow19 10 месяцев назад

This is a great video. I wish I could also get the slides that you are using.

@Nothing-lh9hp 4 года назад

great video I have a little bit notice you could also use parma miner extension on burpsuite it's also geat extension to find the hidden parameter

@InsiderPhD 4 года назад

Yeah for sure! I didn't mention it because I couldn't get it to work on my demo API for some reason, but you're absolutely correct, I'll add a note in the description !

@Nothing-lh9hp 4 года назад

@@InsiderPhD thanks man so much for doing awesome content

@roberthorn6707 4 года назад

Hi Katie! OMG! I don't know how I found your channel but I'm glad I did. My strengths lie in Cyber Security Analysis and this is a great piece for me to add. Your Pre-req video tho, did you change the name of it because I couldn't find it.......thanks for all you do!

@InsiderPhD 4 года назад

Due to popular demand on twitter people wanted this video first so they could do some enumeration this week and bug hunt next :) it will be up on Saturday

@roberthorn6707 4 года назад

@@InsiderPhD Yes ma`am! Sounds good to me. I've subscribed and turned on my notifications. And I've put it on my twitter page as well for the rest of the community to find and share!

@brunobeluco1187 4 года назад

Very nice video I learned so much with it, your explanation is amazing I would you like to ask you to increase the font on burp because it was very small :) Thank you very much for the video Katie

@InsiderPhD 4 года назад

Thank you for the feedback, definitely going to take that on board! I will make sure to make it a little bigger!

@fahadfaisal2383 2 года назад

Good work katie.

@satyanarayansahoo693 3 года назад

Simply Excellent!!!

@digitaldina 4 года назад

This is so good!!! Pls pls pls do a graphql vid ❤️

@InsiderPhD 4 года назад

I was planning too but then I got beaten to it! I highly recommend Farah's video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-OQCgmftU-Og.html

@ezri5021 4 года назад

could see you use LastPass there. Im looking to use a password manager, do you recommend it? Can I trust that it’s secure?

@sharaddahal 2 года назад

Thank You Katie.

@shuvamadhikari2662 2 года назад

Thanks Katie 😍 .

@ismailramzan8927 4 года назад

Thanks for another Great Video :)

@InsiderPhD 4 года назад

My pleasure!

@karimdhrif6679 4 года назад

Thank you Katie!

@faysalahmed7251 3 года назад

Your content is amazing. My request for you to do some live bug bounty hunting on live target in streaming. So that we can learn things from you in more practical way.

@InsiderPhD 3 года назад

I’d love to but there’s a lot of confidentiality issues in doing that if you check out the live API hacking and the teaching my mum to hack you can see me going over the process to assess a target!

@ANKITPATEL-ju7ro 3 года назад

Awsome video!!!

@Stas1983ful 3 года назад

Katie will you crate video-lesson, how you created your api-app.php?

@hasnainabidkhanzada3754 3 года назад

What's your suggestion regarding using a type of OS for low hanging fruits hunting; Windows or Linux? Which is better? Especially from a recon perspective?

@velurubharath8929 4 года назад

Great Video Katie.

@velurubharath8929 4 года назад

Hi Katie, I came across an api where I can change number in request to send otp for verification to other number. Can I report this? I am currently logged into that account.

@josephnimsara3169 4 года назад

awesome video content best on youtube .and can you please continue Next bug series ☺☺

@InsiderPhD 4 года назад

Yup, right now I'm just moving between series that I find interesring!

@josephnimsara3169 4 года назад

@@InsiderPhD thank a lot are there any way to contact you please give us a method

@p0nch4x24 4 года назад

Excellent content as always, thanks for all your work and effort ,a question, how can I avoid '429 too many requests' responses in FFUF?

@InsiderPhD 4 года назад

Great question, you can limit the number of requests in ffuf using the -p argument ( -p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0")

@p0nch4x24 4 года назад

@@InsiderPhD Oh, great!, thank you, Katie

@madmatt112 2 года назад

Following up a year later to share that newer versions of ffuf offer a “-limit” (or similar) flag to do the inverse - how many requests per second.

@techlearner3270 4 года назад

how to Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection in burp suite in any domain ???

@StrmNb 4 года назад

Great Video !

@adelaidemiguel9117 Год назад

How do i get website that she used for demo so that i can practice with it? Someone help.

@maxicorbs 4 года назад

Katie I've just looked for the video that you reference in the intro "Top 10 API bugs" but I can't find it?

@InsiderPhD 4 года назад

Due to popular demand this video came out first (I address it in the description) so the videos release schedules were swapped (so you could do recon this week, and hack next week), I can really recommend this for a great resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm

@nyengnathan517 3 года назад

Wow. Thanks. Just one question, do you also use that windows machine in your bug bounty hunting?

@InsiderPhD 3 года назад

I use both! I am platform agnostic, I prefer the laptop for live events (lmao)! I prefer my Mac at the moment because it’s easier to film/work on for various reasons.

@nyengnathan517 3 года назад

@@InsiderPhD Cool. Thanks for the response. Looking forward for more informative videos from you. Cheers.

@saqibarif7144 4 года назад

Hi great vedio I know you are also best researcher on hackerone it is better to disclose your solve report poc videos and define it's better for everyone love from Pakistan

@ricjhill 4 года назад

I wish Intigriti sponsored a sports club. That logo would look good on a shirt.

@green_quirk 4 года назад

A lots of love.... ❤❤❤❤❤

@kevinnyawakira4600 4 года назад

Amazing content

@mackeman1356 Год назад

thank you

@Loveless9619 4 года назад

My dear PhD, as already said in my last comment, I confirm the esteem I have for you you are always inspirational. I know you've already talked in the past about "How to choose the company where to start bug hunting" however I would like to know from you what you think about the infinite (looong very looong) hiring policies: what is in-scope, what attacks/checks are allowed and what is not . Honestly? It's a huge nuisance every time you have to read all that long text! Do you haven advice to cut off quickly this boring pre-phase? Thank you! Your Italian Guy, G.R. :)

@InsiderPhD 4 года назад

I'd love to tell you to just skip it! But it's super important as if you break those terms you're actually not protected legally and the company could report you to the police for breaking hacking rules. So I suggest you ALWAYS read it and make sure you NEVER go out of scope.

@charlyzha3772 2 года назад

nice tutorial

@maxmayr1477 4 года назад

Hey I really like your video! But I have a little question. Am I allowed in bug bounty programms to send so many requests per second ?

@InsiderPhD 4 года назад

Usually there is a request to limit test to so many requests a second - check the program page. If not you should still be responsible but you are not limited (apart from maybe a firewall)

@FraidoonFarrukh1 4 года назад

Hello, Sorry I can't find Top 10 API bugs in your channel. Can you post the link please? Thanks

@InsiderPhD 4 года назад

It will be out on Saturday :)

@ayoubaboutarbouch8683 4 года назад

liked before watching

@InsiderPhD 4 года назад

Awww :) thank you!

@InfoSecIntel 4 года назад

What’s the one command to enumerate graphql? I don’t remember it from the previous videos.

@InsiderPhD 4 года назад

Here you go : github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md

@InfoSecIntel 4 года назад

InsiderPhD thank you for being so helpful! So the “one command” you were talking about, is it section that says “URL encoded query to dump the database schema.” We can literally just copy and paste that and its useable? Again thank you so much

@InsiderPhD 4 года назад

Yup that’s the one

@InfoSecIntel 4 года назад

InsiderPhD amazing thank you!

@jacoblessard8213 2 года назад

I know this is year old but can someone please explain what it means when you're getting all these fake positives? I can enter a lot of these enumerations and it returns with a 200, however the responses seem entirely unchanged. On another note, when I try certain queries like anything almost with .json at the end it gives me 423 firebase locked by database owner. Also the reason I tried apoending.json to some of my requests is because when trying certain enums or when trying to execute json print commands in the body it prompted me to append .json to use the REST api. Someone please if you have any more knowledge I'd love to hear it.

@TheConstantLearnerGuy 2 года назад

Why you discontinued the series ?

@lowtoe8030 4 года назад

I can personally attest that Arjun is great. It's played a part in nearly all my xss, redirect, and injection bounties. However I can't get the --headers option to work with it. Anyone else have luck with it?

@ricardotech 4 года назад

In 1 to 10 you're 11 katie

@thimothy2461 4 года назад

Hii.. my name is Thimothy.. i am following you from last 2 weeks ur really did a great job and i would like to follow you in Instagram but i cant found a instagram link in the description.. Will u provide a link?

@InsiderPhD 4 года назад

Sorry I don't use instagram, only twitter I'm afraid!

@StephenOgu 4 года назад

Interesting

@paulojr1384 Год назад

IDOR is a CSRF? tanks

@Safvanviber-xm3pn 7 месяцев назад

Wtf

@ravirajsinhzala9535 2 года назад

Not able to setup generic uni api can anyone help?

@InsiderPhD 2 года назад

You no longer need to! You can head to bughuntr.io and it's completely accessible in the browser

@paulojr1384 Год назад

38:33 remember to add -rate (and the limit of requests/sec always required on the rules to bug hunting the target) tanks for the content @InsiderPhD and have a blessed 2023 💯

@jayu4348 3 года назад

Katie. Your awesome!!!! And ur cute❤️

@Anonymous-wb8ke 4 года назад

I learn so many thing and also I'm from india Arjun is awesome it's my best frnd name 😂

@sachinmaurya3259 4 года назад

Hey when will you upload the video on BrupSuite :)

@InsiderPhD 4 года назад

Very soon, not 100% on timescales, but how to use intruder/repeater are next on my lists

@sachinmaurya3259 4 года назад

@@InsiderPhD Thank you :D Waiting for your video

@dukedud9743 Месяц назад

1- finding ur first bug 2- firefox containers 3- api top 10 4- api enumeration

@AjayKumar-xl4jc 3 года назад

Mam tutorial video plsz

@InsiderPhD 3 года назад

Sure! What would you like me to cover, I love getting suggestions!

@RAVIJATAV007 4 года назад

🦋

@ca7986 4 года назад

♥️

@netbin 4 года назад

how its fine to use community edition, when it works slow AF

@InsiderPhD 4 года назад

Because it's a great way to get started and be more selective about your payloads, plus for a lot of people the cost is really too much, you can also use ffuf to fill in the gaps :)

@maxicorbs 4 года назад

Wooo

@doge1931 10 месяцев назад

lotta IoT devices use SOAP

@helalsadat2077 28 дней назад

for those who want to make word list of get a good word list i would recommend asset notes API routes word list it's really big and give really good results , Happy API Hacking

@user-hp8ih3dc8x 4 года назад

Hi, I'm big fan of your voice and contents. I have question. could you guide me? I'm not familiar with docker, so I don't know instructions. Now I have installed docker on kali, but I don't know next steps.(I'm trying to install the file you deployed (gist.github.com/InsiderPhD/f1eaa95b8479b54e8849beb596d669f5) Could you guide me? Thanks.

@InsiderPhD 4 года назад

I believe Kali ships with Python, you can check with: python -V If not you should install Python via the package manager: apt-get install python36 Then you need to do: pip install requests And finally you can do: python arjun.py ...

@sachinmaurya3259 4 года назад

1 Comment

@realNAKAMI 4 года назад

putting dollars around user like $users$ for the url to iterate over a word list is kinda misleading. should've used a suitable variable name like $word$.