What other projects do you guys want to see made?

API protection schemes aren't all that different from developer to developer since most APIs tend to follow a similar format when it comes to security: 1. The authorization token _(be it OAuth2, JWT, Spring, Keycloak, Passport, or Auth0)_ will likely contain information regarding what sort of access you have to the API itself. So for instance if you don't have permissions to access a certain endpoint then the resulting response can simply be an HTTP 401 _(Unauthorized)_ or even an HTTP 403 _(Forbidden)_ . *Note:* the difference between an HTTP 401 and HTTP 403 is that the HTTP 401 error is for when you provide invalid or no credentials. The HTTP 403 error is for when you lack the privileges to access the specified resource _(API endpoint in this case)_ . 2. The API server might have a rate limiter set up to limit the number of concurrent requests sent to any API endpoint within a set amount of time. This is used to prevent a single connected user from spamming the API server which uses up too many system resources for the server in question. A server that's set up to be publicly accessible will most likely have documentation on the rate limiter _(the size of the request buckets, the rate at which the request buckets are emptied, what response headers are sent whenever you are rate limited, the different types of rate limits, etc...)_ . Typically whenever we think about reverse-engineering APIs we are more-or-less thinking about something called *"fuzzing"* which can be defined as _an automated process that injects invalid, malformed, or unexpected inputs into a system to reveal defects and vulnerabilities_ . For instance if we know the URI formatting for the API server then we can simply try to find undocumented API endpoints based on common names for said endpoints. The thing about API developers taking inspiration from one-another is that sometimes they'll use similarly named endpoints for certain actions such as token invalidation, database searching, creating and deleting data, etc... If the developers didn't expect for you to find those undocumented API endpoints then maybe they also forgot to give them the same level of scrutiny when it comes to securing them versus their documented or public API endpoints. My apologies for going so deep into this topic, I am somewhat passionate about web exploitation and semantics. Good video though because it appears that so many mobile app developers don't tend to consider that a MITM could be able to intercept and manipulate API calls to exploit vulnerabilities and a ton of developers could benefit from learning this and applying it to their development process.

It's such a rush when you gain access to things like this, great work. Think I'm going to have a lot of fun with mitmproxy. Subscribed.

Hey dude, good job with the video. You can also use the proxy to find out the endpoint used by your phone in order to get the access token, so you are going to be able to log in from your computer and get new access tokens ( Because they probably have a TTL). Another tip is to check if the app has also a website because if they have they are probably using the same private API, so u don't even need to proxy your phone.

Dang bruh, if you want that data you gotta go out and get it, loved the vid. Just getting into trying to reverse engineer some APIs

Big companies that private their APIs are indeed annoying, but let's not generalize this Remember that when you take stuff from an API you're not supposed to have access to, you're essentially using the money and resources of the company behind it, without giving them anything in return. So let's avoid doing that to small companies & devs

Luckily it was this easy for this app, some apps implement certificate pinning, so even after you install your own certificate it just ignores it and doesnt accept the mitm requests.

Nice video. This really got me thinking about my api😂

One more note: what you demonstrated would work if someone steals your phone, installs mitmproxy on it, and starts using the application in question. This will definitely expose how to API works - all its endpoints, payload structure, tokens, and perhaps some integrations with other APIs. However, if the API is designed correctly, you would only be able to get the data this one client is allowed to see (aka, the user whose phone was stolen, assuming he/she only has one app account). Of course, much of the data the API provides could be shared, in which case one user could potentially get access to 90% or more of the data, e.g. an e-commerce catalog that was considered "private" with respect to the membership implied by this app.

first time seeing you, good luck bro , dont stop, subs done

So guys if you don't understand what he actually did is he intercepted his request from phone app into the his pc using mitmproxy and then he used access_token value to get the results without using the app and he got succeeded

hmm..not really hacking if using the public request string with a valid user token.... get restricted user data from other user without token would be hacking...

So what you actually did was get JSON response with the data you already have in your phone?

Next video: Bypass ssl pinning.

Intercept the authentication call to be able to generate tokens. In oauth2 a token is usually valid around 2 min depending on what was set by admins

Hey Chris, Thanks for making this video. I don't know much about api but I think this can help me with a project I'm working on. Good luck with your channel.

WIth these looks, you should be an actor, man :). But seriously, thanks for the video. Thumbs up of course.

Careful, 5:20 is you coordinates..

This is amazing! Companies really need to start caring about their APIs

Security (access codes) are often not important from an ISV's point of view. APIs are often "private" not because of any security concern but so that the ISV can change THEIR OWN APIs without needing backward compatibility and so on. They're not private for commercial reasons but technical ones. So, of course, if you write your app against private APIs then don't complain if they break in the next version. Public APIs require far greater support. By all means use private APIs, but why not also contact the ISV and ask them to make their API public? Or even (here's an idea) pay them to use their software, in the form of a support contract...

Wonderful video, man

I totally agree, these api should have been open source to the public.

such a clean and top notch video ! earn my sub in the first 10 sec , thanks for sharing dude

it isn't an issue, it's normal behavior of API's. The problem would exists if You could access resources, which weren't destined to You.

The reason they are private is to release stress on the api's..

Bit lame without figuring out the hashing

You straight look like Jesse Williams lmao. Besides that, nice job very interesting video!

Thanks Chris..you blew me away with this video. Please I need to see another video on Hacking DNS and cloud servers

Think I need to watch this a few times to follow what you did. Very interesting.

nah bro chill not trying at my home,instead at my friend!

Superb 👍 . The way you explained the stuff was very easy to understand. Keep it up bro 👍 👍 👍

Thanks so much! This was a really, really, really big help!

3:24 how you get the access token without the credentials. Are you using Postman for the POST req? 5:09 like I’m confused on how you got the access token, this is like magic. Like how Sway???

Great video 🤘🔥🔥🔥

bruh u killed this video i had to rewatch video too lit !!

this is why you use cors

Following this in 2024, on my iPhone the "Profile" where you install the mitmproxy has been relocated to the VPN & Device Management.

Is it posibble to manipulate request in middle? For example, think of an app, there is an integration of another app within it. Even if that integration in the other app receives the data from the main app, can the data be changed and sent before going to the servers of the integration app?

hello what did you use to send the request at minute 5:33 did you use burpsuite?

Only 1.1k subscribers? You need more bro

I'm just gonna pretend I understood

Well done.. I was wondering how my coder was doing it. WE are using the exact process to set up a multiple API. Well done breaking it down!

As a result, do u recommend to developers to secure the api with Oauth2 ?

Heads up: Newest ios version needs you to go to "general", "info", "certificats... -settings" -> enable mitmproxy, as otherwise its only installed but not enabled! Otherwise (at least for me in 2024) your iphone wont be able to connect to the internet.

I thought that it's pretty standart that you think someone will try to use your API's. That's why you put a rate limit per authenticated users. Son a single user gets only x amount of request where they can't serve the API to 100s of people.

he pulled a devon crawford

That was great.. How much per hour for a personal tutoring?

bro i want api of a web based parser called a-parser coz i develop one my own but it has cloudflare is that matter , that the website has cloudflare with this method?? thanksss

it's impossible to do that on Android phones so companies are not worried so much but of course, there is a certain ways to hack them

so basically, this is not hacking

Holy crap I was looking for a way to find the person that hacked my gmail and i find this gem for my personal project

Can you use this method to post data to their server?

I don't even know how i manage to understand all that.

brother why did you stop posting videos? Does anyone have his social media? urgent !!! does anyone know how to find api?

did you put eye liner and mascara to your eyes?

Awesome video!

pretty cool, engaging work. thumbs up!

How would you generate fake api Key when you already have a demo Key? is It posible to reverse Engineer a Key?

How to protect own api on server from apps like packet tracers on android. My users catches data and make from postman. Any help on this

I have a doubt. I use a website and I know their http requests and response. Anyone can access their site. Can I use the requests in my app without telling them or just provide credits to their website?

but only debug app and web will be intercepted, when i open random apk what i've install from play store then mitm proxy doesn't work to intercept the request and the app return error ssl bla bla bla(ca-certificate had been installed), or infinite loading

thxxx it's amazing, but why do keep telling us not to try it, is it illegal ? i need to make an app that uses some banks data but their apis are private, is it legal or not to get them like this because i don't wanna get in troubles honestly

Thank's chriscodes keep up the good work ^_^

terrible idea not scrubbing that geo location data

Cool coordinates.

Can you make a tutorial about API for beginners 🙏🏾

Well looks like i won't be using rest API's lol... what about gRPC? is that easy to hack?

Uh didn't you dox yourself on this one? I'm seeing coords that lead to a house. Might wanna look into that.

Man in the Middle 101

Can you another video explaining more about this installation

Great video thanks

Did I miss something? Why are you using your phone. What aren't you using your PC to do this?

Scrapping pls. Now big companies are investing on anti-scrapping methods

this is not exactly private, a private api should have a signature then you would need to work on their algo, which requires reversing their app. lol

Is it possible to hack firebase database ? Can we delete or change all firebase data of a android application

Hey, I'm not able to capture https requests.

you could do that with post man also. it have a tool for reverse engeneer an api

what a shame they are not using ssl pinning

Great video :)

that was awesome!!!

Respect the hustle

This is basically Session hijacking right?!!!

do you put eyeliner

How can I connect with you bro

Do it for Leetcode

u could have just used burp

Reverse engineer an android app.

Can you this for Snapchat app?

Wtf you look like the android from Detroit become human

Api means fire in indonesia

Reverse Engineering an API? You just used a simple proxy. Where is the hacking? Do you talk about using a valid access token? They probably hacked you by making you visit their page, would be awesome to hide some object prototype security 'flaws' within a reverse proxy. Did you install nodejs as admin? Good luck with security if you don't have the basic knowledge..

Can't you just use chrome to intercept?

how can contact with YOU

You look like John Cena

Hack a bank app

hi dear can you do reverse engineering api tiktok i will pay you

Can u modify games like pubg mobile

they will catch you you posted it hhh

BRO THANK YOU

Can I hack ROBLOX accounts using thisv