What other projects do you guys want to see made?

API protection schemes aren't all that different from developer to developer since most APIs tend to follow a similar format when it comes to security: 1. The authorization token _(be it OAuth2, JWT, Spring, Keycloak, Passport, or Auth0)_ will likely contain information regarding what sort of access you have to the API itself. So for instance if you don't have permissions to access a certain endpoint then the resulting response can simply be an HTTP 401 _(Unauthorized)_ or even an HTTP 403 _(Forbidden)_ . *Note:* the difference between an HTTP 401 and HTTP 403 is that the HTTP 401 error is for when you provide invalid or no credentials. The HTTP 403 error is for when you lack the privileges to access the specified resource _(API endpoint in this case)_ . 2. The API server might have a rate limiter set up to limit the number of concurrent requests sent to any API endpoint within a set amount of time. This is used to prevent a single connected user from spamming the API server which uses up too many system resources for the server in question. A server that's set up to be publicly accessible will most likely have documentation on the rate limiter _(the size of the request buckets, the rate at which the request buckets are emptied, what response headers are sent whenever you are rate limited, the different types of rate limits, etc...)_ . Typically whenever we think about reverse-engineering APIs we are more-or-less thinking about something called *"fuzzing"* which can be defined as _an automated process that injects invalid, malformed, or unexpected inputs into a system to reveal defects and vulnerabilities_ . For instance if we know the URI formatting for the API server then we can simply try to find undocumented API endpoints based on common names for said endpoints. The thing about API developers taking inspiration from one-another is that sometimes they'll use similarly named endpoints for certain actions such as token invalidation, database searching, creating and deleting data, etc... If the developers didn't expect for you to find those undocumented API endpoints then maybe they also forgot to give them the same level of scrutiny when it comes to securing them versus their documented or public API endpoints. My apologies for going so deep into this topic, I am somewhat passionate about web exploitation and semantics. Good video though because it appears that so many mobile app developers don't tend to consider that a MITM could be able to intercept and manipulate API calls to exploit vulnerabilities and a ton of developers could benefit from learning this and applying it to their development process.

It's such a rush when you gain access to things like this, great work. Think I'm going to have a lot of fun with mitmproxy. Subscribed.

Nice video. This really got me thinking about my api😂

Hey dude, good job with the video. You can also use the proxy to find out the endpoint used by your phone in order to get the access token, so you are going to be able to log in from your computer and get new access tokens ( Because they probably have a TTL). Another tip is to check if the app has also a website because if they have they are probably using the same private API, so u don't even need to proxy your phone.

Luckily it was this easy for this app, some apps implement certificate pinning, so even after you install your own certificate it just ignores it and doesnt accept the mitm requests.

hmm..not really hacking if using the public request string with a valid user token.... get restricted user data from other user without token would be hacking...

One more note: what you demonstrated would work if someone steals your phone, installs mitmproxy on it, and starts using the application in question. This will definitely expose how to API works - all its endpoints, payload structure, tokens, and perhaps some integrations with other APIs. However, if the API is designed correctly, you would only be able to get the data this one client is allowed to see (aka, the user whose phone was stolen, assuming he/she only has one app account). Of course, much of the data the API provides could be shared, in which case one user could potentially get access to 90% or more of the data, e.g. an e-commerce catalog that was considered "private" with respect to the membership implied by this app.

Big companies that private their APIs are indeed annoying, but let's not generalize this Remember that when you take stuff from an API you're not supposed to have access to, you're essentially using the money and resources of the company behind it, without giving them anything in return. So let's avoid doing that to small companies & devs

So guys if you don't understand what he actually did is he intercepted his request from phone app into the his pc using mitmproxy and then he used access_token value to get the results without using the app and he got succeeded

So what you actually did was get JSON response with the data you already have in your phone?

Intercept the authentication call to be able to generate tokens. In oauth2 a token is usually valid around 2 min depending on what was set by admins

Next video: Bypass ssl pinning.

This is amazing! Companies really need to start caring about their APIs

Hey Chris, Thanks for making this video. I don't know much about api but I think this can help me with a project I'm working on. Good luck with your channel.

WIth these looks, you should be an actor, man :). But seriously, thanks for the video. Thumbs up of course.

I totally agree, these api should have been open source to the public.

Thanks Chris..you blew me away with this video. Please I need to see another video on Hacking DNS and cloud servers

such a clean and top notch video ! earn my sub in the first 10 sec , thanks for sharing dude

Well done.. I was wondering how my coder was doing it. WE are using the exact process to set up a multiple API. Well done breaking it down!

Think I need to watch this a few times to follow what you did. Very interesting.

The reason they are private is to release stress on the api's..

it isn't an issue, it's normal behavior of API's. The problem would exists if You could access resources, which weren't destined to You.

Superb 👍 . The way you explained the stuff was very easy to understand. Keep it up bro 👍 👍 👍

Following this in 2024, on my iPhone the "Profile" where you install the mitmproxy has been relocated to the VPN & Device Management.

Security (access codes) are often not important from an ISV's point of view. APIs are often "private" not because of any security concern but so that the ISV can change THEIR OWN APIs without needing backward compatibility and so on. They're not private for commercial reasons but technical ones. So, of course, if you write your app against private APIs then don't complain if they break in the next version. Public APIs require far greater support. By all means use private APIs, but why not also contact the ISV and ask them to make their API public? Or even (here's an idea) pay them to use their software, in the form of a support contract...

Is it posibble to manipulate request in middle? For example, think of an app, there is an integration of another app within it. Even if that integration in the other app receives the data from the main app, can the data be changed and sent before going to the servers of the integration app?

Thanks so much! This was a really, really, really big help!

You straight look like Jesse Williams lmao. Besides that, nice job very interesting video!

Heads up: Newest ios version needs you to go to "general", "info", "certificats... -settings" -> enable mitmproxy, as otherwise its only installed but not enabled! Otherwise (at least for me in 2024) your iphone wont be able to connect to the internet.

nah bro chill not trying at my home,instead at my friend!

this is why you use cors

I thought that it's pretty standart that you think someone will try to use your API's. That's why you put a rate limit per authenticated users. Son a single user gets only x amount of request where they can't serve the API to 100s of people.

bruh u killed this video i had to rewatch video too lit !!

Wonderful video, man

Bit lame without figuring out the hashing

I'm just gonna pretend I understood

Cool coordinates.

Man in the Middle 101

did you put eye liner and mascara to your eyes?

3:24 how you get the access token without the credentials. Are you using Postman for the POST req? 5:09 like I’m confused on how you got the access token, this is like magic. Like how Sway???

Great video 🤘🔥🔥🔥

pretty cool, engaging work. thumbs up!

so basically, this is not hacking

Only 1.1k subscribers? You need more bro

he pulled a devon crawford

bro i want api of a web based parser called a-parser coz i develop one my own but it has cloudflare is that matter , that the website has cloudflare with this method?? thanksss

As a result, do u recommend to developers to secure the api with Oauth2 ?

it's impossible to do that on Android phones so companies are not worried so much but of course, there is a certain ways to hack them

brother why did you stop posting videos? Does anyone have his social media? urgent !!! does anyone know how to find api?

Thank's chriscodes keep up the good work ^_^

How would you generate fake api Key when you already have a demo Key? is It posible to reverse Engineer a Key?

That was great.. How much per hour for a personal tutoring?

Awesome video!

Holy crap I was looking for a way to find the person that hacked my gmail and i find this gem for my personal project

How to protect own api on server from apps like packet tracers on android. My users catches data and make from postman. Any help on this

I don't even know how i manage to understand all that.

hello what did you use to send the request at minute 5:33 did you use burpsuite?

Uh didn't you dox yourself on this one? I'm seeing coords that lead to a house. Might wanna look into that.

Respect the hustle

I have a doubt. I use a website and I know their http requests and response. Anyone can access their site. Can I use the requests in my app without telling them or just provide credits to their website?

Can you make a tutorial about API for beginners 🙏🏾

Great video :)

Did I miss something? Why are you using your phone. What aren't you using your PC to do this?

this is not exactly private, a private api should have a signature then you would need to work on their algo, which requires reversing their app. lol

that was awesome!!!

Can you use this method to post data to their server?

Well looks like i won't be using rest API's lol... what about gRPC? is that easy to hack?

terrible idea not scrubbing that geo location data

Do it for Leetcode

but only debug app and web will be intercepted, when i open random apk what i've install from play store then mitm proxy doesn't work to intercept the request and the app return error ssl bla bla bla(ca-certificate had been installed), or infinite loading

you could do that with post man also. it have a tool for reverse engeneer an api

Can you another video explaining more about this installation

Hey, I'm not able to capture https requests.

thxxx it's amazing, but why do keep telling us not to try it, is it illegal ? i need to make an app that uses some banks data but their apis are private, is it legal or not to get them like this because i don't wanna get in troubles honestly

Reverse engineer an android app.

Api means fire in indonesia

Scrapping pls. Now big companies are investing on anti-scrapping methods

Careful, 5:20 is you coordinates..

Reverse Engineering an API? You just used a simple proxy. Where is the hacking? Do you talk about using a valid access token? They probably hacked you by making you visit their page, would be awesome to hide some object prototype security 'flaws' within a reverse proxy. Did you install nodejs as admin? Good luck with security if you don't have the basic knowledge..

what a shame they are not using ssl pinning

Hack a bank app

Is it possible to hack firebase database ? Can we delete or change all firebase data of a android application

NICE

Wtf you look like the android from Detroit become human

Can you this for Snapchat app?

How can I connect with you bro

do you put eyeliner

Use burosuite

BRO THANK YOU

hi dear can you do reverse engineering api tiktok i will pay you

u could have just used burp

Can't you just use chrome to intercept?

how can contact with YOU

they will catch you you posted it hhh

Mac os is super good as compared window 🔥🔥🔥

You look like John Cena

This is basically Session hijacking right?!!!

Bro can we hack online ludo games with reverse engineering