Finding Your First Bug: Finding Bugs Using APIs

Рет қаралды 114,318

InsiderPhD

Күн бұрын

Пікірлер

@tayfun6378 5 жыл бұрын

you've improved the sound quality

@InsiderPhD 5 жыл бұрын

I finally figured it out!

@ICTSecurity Жыл бұрын

You are an outstanding educator, please keep doing it! I just wanted to learn about enumeration for a project but now I'll binge the whole channel.

@digitaldina 4 жыл бұрын

Your videos are a gold mine! Thank you so much for making them free accessible and so understandable ❤️

@InsiderPhD 4 жыл бұрын

You are so welcome!

@gamlielhernandez974 4 жыл бұрын

I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!! Thank you so much for sharing your time and knowledge with the Community.

@mrtk-ph5sy 3 жыл бұрын

Really love your series 💖 I found my 1 st paid bb this week after completing your series love you 😘

@MH-tw1qi 4 жыл бұрын

I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips

@medhasni6432 3 жыл бұрын

Did you got some now?

@jalapenohiway 3 жыл бұрын

Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!

@InsiderPhD 3 жыл бұрын

Wow, thank you so much

@nirchoubey2011 5 жыл бұрын

Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces. Thanks for all your effort. You are doing great.

@InsiderPhD 5 жыл бұрын

You're absolutely correct, thank you for pointing out my mistake, I will issue a correction in the description

@NanoCyberSec 4 жыл бұрын

I am OSCP/OSWE.. and i am starting to learn from you thanks @InsiderPhD keep the greater work up

@cyberwolf7385 4 жыл бұрын

You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.

@InsiderPhD 4 жыл бұрын

Aww thank you for being a supporter of my work

@charvi444 4 жыл бұрын

Nobody: InsiderPhD: "Howevaaaaaaar...."

@reo4680 3 жыл бұрын

Bri ish

@forrest8304 3 жыл бұрын

@@reo4680 in'it

@shivanshusahu6121 4 жыл бұрын

the way you explain things is just awesome.

@Creamy.Commander 4 жыл бұрын

Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !

@ploutosroman4206 5 жыл бұрын

Nice thank you! Been looking for a detailed api bug video.

@karim3741 2 жыл бұрын

a great teacher, amazing and detailed explanation, thank you for your efforts ❤️🔥

@kavishgour3267 5 жыл бұрын

My favourite youtuber at the moment :)

@InsiderPhD 5 жыл бұрын

:O I’m so honoured!

@Naha-ir9mi 2 жыл бұрын

This is still a well made presentation after 2 years.

@allan_bomb 3 жыл бұрын

thank you, thank you and thank you! Keep up the great work! Looking forward seeing more of your videos.

@Shogunxd3-vp9jv 5 жыл бұрын

This is what I was going to learn about today too! This is amazing! Thank you so much!

@jacobpetrov4041 5 жыл бұрын

Great video, this series is really helping me out. Looking forward to the next one!

@AdnanDhinojwala 5 жыл бұрын

Was really waiting for something like this, Thank you so much

@h4kster182 4 жыл бұрын

really Great, thank you

@lifeofsq5653 Жыл бұрын

Hello Katie Its wonderful explanation can't wait to test APIs. Thankyou for sharing valuable information :))

@satyaprakasha9356 4 жыл бұрын

Your voice gives me a motivation, thank you so much❤❤❤❤

@InsiderPhD 4 жыл бұрын

Hell yeah! Good luck on your hacking journey I’m glad I could inspire you

@Hackerone1444 2 ай бұрын

thanks for your video my gurl

@sumitkhadka5123 4 жыл бұрын

was looking for information and what u are doing for the community and for all is very helpful thank u for ur beautiful content

@mashin4777 2 жыл бұрын

Thank u, it's really feels like, you have a talent of teaching people

@omnnnooy3267 2 жыл бұрын

I am so happy I find your channel 🤩

@JohnCiprian 4 жыл бұрын

Great content. Keep it coming!

@goldengreengrass Жыл бұрын

Thank you Katie for this wonderful lesson...😄😄

@RinkuVaghela 4 жыл бұрын

I really apricated your hard work behind your videos .. I love all the videos and learn lots of things thanks a lot

@kandarpmishra6009 3 жыл бұрын

can you please elaborate what is "endpoint" at 33:52?

@eed5278 4 жыл бұрын

Wow! Good work, very clear.

@Socversity 5 жыл бұрын

It’s really Great, thank you for changing your mic 😁😁😁

@rohullahafzali1587 2 жыл бұрын

Thanks for your great contents.

@felipeolea8810 2 жыл бұрын

Fantastic video, where shoould we look if we cant acces any ways to the apis becauser we dont have the crfs token or auth?

@meispi9457 5 жыл бұрын

If you could provide those slides, that would be very helpful. thanks, great video!!

@InsiderPhD 5 жыл бұрын

I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.

@meispi9457 5 жыл бұрын

@@InsiderPhD Valid point.

@InsiderPhD 5 жыл бұрын

@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!

@shift3y 4 жыл бұрын

This is brilliant, thank you! Any suggestions on where I can find CTFs to practice these techniques?

@TalsonHacks 3 жыл бұрын

PortSwigger’s Web Security Academy, PentesterLab

@champagnepete3386 4 жыл бұрын

Awesome resource!

@neoXXquick 4 жыл бұрын

Amazing video.. thx for contribution...

@WaheedIqbal-gb3yt Жыл бұрын

Hey You made a great job , Thanks a lot

@IteLuis 4 жыл бұрын

Awesome talk, thank you very much!!

@InsiderPhD 4 жыл бұрын

Glad you liked it! More API videos coming really soon!

@selimeneskaraduman6935 5 жыл бұрын

How do you find xss in API? API responses are json content type is xss possible?

@InsiderPhD 5 жыл бұрын

The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others

@kabirsuda 4 жыл бұрын

Really helpful video keep it up!

@albonycal 4 жыл бұрын

I'm little bit confused @ 30:29 that means if we remove the cookies and the api accepts it... Does this bypasses Authorization... I'm confused

@InsiderPhD 4 жыл бұрын

By removing cookies we are basically “logged out” which is why it works, there are many different type of IDORs but it’s a quick litmus test to check!

@shrirangkahale 4 жыл бұрын

Got it..

@starkeduplatform2320 4 жыл бұрын

Thanks for this...really useful for me

@nicholasxyz8880 5 жыл бұрын

The reports you use in your examples, in the future could you give us the url for them so we can look them up? Thanks!

@InsiderPhD 5 жыл бұрын

Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210

@ramsekargnanasekar9384 4 жыл бұрын

Really informative video, thanks!!!!!! I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????

@shekharwagh4982 3 жыл бұрын

Xcellent Video for Developers trying to start Hacking

@pankajprasad9179 5 жыл бұрын

Really help full thank you

@JuanBotes 2 жыл бұрын

great training video, thanks for content \o/

@noblesix6525 5 жыл бұрын

Thank you so much!! Very useful

@optional6719 3 жыл бұрын

can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?

@hasnainabidkhanzada3754 4 жыл бұрын

Enumeration is a part of a larger recon process. Right?

@InsiderPhD 4 жыл бұрын

Yup but sometimes not! API recon is often discovering endpoints while larger recon is usually exploring a scope in depth

@hasnainabidkhanzada3754 4 жыл бұрын

@@InsiderPhD Exploring a scope could be finding the hidden endpoints. Isn't this also enumeration?

@cyber__hawk5555 3 жыл бұрын

Awesome 👍

@thecast9864 2 жыл бұрын

love the comments on your notes "seems sus come back"

@hardwork3196 4 жыл бұрын

thanks a lot for awesome information.

@buricobain23 4 жыл бұрын

Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.

@InsiderPhD 4 жыл бұрын

This is coming soon :) I’m going to do a video on more API testing tools!

@aksharpatel1097 4 жыл бұрын

Is there something i should know about before starting to learn this?? As i find this quite difficult in some parts

@InsiderPhD 4 жыл бұрын

Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it

@aksharpatel1097 4 жыл бұрын

@@InsiderPhD thanks!

@dipakpardesi4661 2 жыл бұрын

thanks for the video 👍

@xx2125 4 жыл бұрын

Hi Katie, thanks for this superb video. Do you have somewhere the presentation for download?

@InsiderPhD 4 жыл бұрын

No, sorry, unless it's mentioned specifically in the video descriptions I don't make slides freely available, usually I do for conference talks!

@xx2125 4 жыл бұрын

@@InsiderPhD Ok, so I will take notes from your videos. :)

@sayturestorver4334 2 жыл бұрын

Thank you so much !!

@ariyankhan2847 3 жыл бұрын

you should add link of your video in I button or in this description when you are talking about you some other videos

@InsiderPhD 3 жыл бұрын

Excellent idea, thank you I will do this!

@helalsadat2077 5 ай бұрын

Starting TOday Lets rock and roll :))

@wingwing2683 2 жыл бұрын

Thanks so much!

@TheHammertownhead 5 жыл бұрын

I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.

@InsiderPhD 5 жыл бұрын

Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!

@TheHammertownhead 5 жыл бұрын

@@InsiderPhD keep up the great work on these great videos!!! Very informative!! Its greatly appreciated!

@cyrilbeyo8731 4 жыл бұрын

Thank you This was helpful

@Samlikes_ham 9 күн бұрын

Soooo… where do I click to find the api, I’m honestly so confused rn

@digitalcynicism Жыл бұрын

Microwave Oven, doo Doo Doo Doo Doo doo

@renganathanofficial 3 жыл бұрын

you used mouse to write, that's awesome xD

@2012mrmoh 2 жыл бұрын

Great, however, how can I concentrate with an ad every minute. Thank you for your hard work .

@InsiderPhD 2 жыл бұрын

I’m really sorry I actually have midrolls turned off completely but KZbin will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying

@nishikanttayade7446 4 жыл бұрын

For Web Developers start at 14:30

@vishalpatidar2737 5 жыл бұрын

Great video, please make a video on CSRF

@InsiderPhD 5 жыл бұрын

Coming next week :)

@shiftlock452 Жыл бұрын

lovely voice🤩

@yogteacherdilipmotkar8801 5 жыл бұрын

Plz tell which lecture are coming at what time means future schedule plz

@InsiderPhD 5 жыл бұрын

Next up: Q and A - midweek next week RCE bug in focus - 18th Jan CSRF finding your first bug - 25th Jan I often post in the channel community tab or on twitter when I know what my next video will be!

@thehackerish 5 жыл бұрын

1337 video! Is it just a chance or I am the 3337th person to view the video? :D

@salv032gaming Ай бұрын

where can i practice api hacking?

@ThePeople-vf7st Ай бұрын

Burp Suite Academy ,TryHackMe, apisec university

@emreru5687 5 жыл бұрын

Thank you so much

@yethu7682 4 жыл бұрын

can you share the slide of this video?

@Weaver0x00 Ай бұрын

Mate I did both h101 graphql labs. I gotta say, I understood f*ck all from that. Did both on my own, never interacted with graphql before that, had blackhat graphql open in a separate tab, just scrolled for something that looked similar to the task. I guess learning hands-on isn't for me

@RahulYadav-qg9ms 5 жыл бұрын

please bring some practical beside theory

@hannanjamil1060 5 жыл бұрын

Can you please share slides? BTW thank you so much. ❤🌹

@isfk 4 жыл бұрын

Reusing code by creating a web API is not being lazy, its being smart.

@InsiderPhD 4 жыл бұрын

Of course! It’s just a joke :)! Using an API can also reduce development time when you’re managing a desktop, web and mobile app for example

@MrTiger-eg1gr 4 жыл бұрын

This was great. But, if you don't mind, can you please slow down a lil bit while talking?

@InsiderPhD 4 жыл бұрын

Of course! Thank you for your feedback! I will definitely try to talk slower and pace myself better!

@yassindaboussi2570 4 жыл бұрын

thank You

@bugsbunny6286 4 жыл бұрын

Can you make a good video on XSS explaining all of them briefly and ways to find it out easily

@InsiderPhD 4 жыл бұрын

Great idea I will make this video!

@goooooo9197 5 жыл бұрын

How to find that api plz tell that

@InsiderPhD 5 жыл бұрын

Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator