How To Do Recon: API Enumeration

Рет қаралды 58,149

Күн бұрын

This week we cover how to do API enumeration/API Recon. I show you how to find new API endpoints using tools like Burp Intruder and Ffuf, as well as how to find hidden parameters using Arjun. Including how to act on this data and use it to find bugs!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
This episode was due to come out next week, but due to popular demand I have released it early for you folks, hopefully, you'll have some good data this week that you can hack on next week! Sorry for the references to next week's video! In this video we go through some theory first and do a little refresh on what an API is and how they word, then we go into the theory of recon before I do some live demos hacking on a fake API. I'd love to have done this video on a real bug bounty target, but with recon there's a lot I could miss or disclose on accident!
Do you want to support me? Why not buy me a coffee? ko-fi.com/insiderphd
Got questions? I have answers, Tweet at me / insiderphd
Timestamps
0:00 Introduction to the video & catchup
7:29 Introduction to API enumeration
16:15 Easy API Enumeration
20:01 Creating Wordlists
25:05 DEMO: Burp Intruder
35:07 DEMO: Ffuf
41:38 DEMO: Arjun
48:27 Analysing Arjun results
50:07 DEMO: Practical bug hunting
Commands I run
- Ffuf: ffuf -w wordlist.txt -u 192.168.1.11:8000/api/FUZZ/6 -o output.txt -x 127.0.0.1:8080
- Arjun (-x parameter sends to burp, ignore if you do not want to send requests to burp or you use the original version): python arjun.py -u 192.168.1.11:8000/api/users --post -o data/result.json -x 127.0.0.1:8080
Links to the stuff I talk about
Example APIs
- My Fake API: github.com/InsiderPhD/example...
- Twitter: / api-reference
- Facebook: / graph-api
- Yahoo: developer.yahoo.com/api/
Tools
- Ffuf github.com/ffuf/ffuf
- Arjun (my version) github.com/InsiderPhD/Arjun
- Arjun (original) github.com/s0md3v/Arjun
- Arjun dockerfile gist.github.com/InsiderPhD/f1...
Videos
- Finding Your First Bug: Finding Bugs in APIs • Finding Your First Bug...
- API Hacking for the Actually Pretty Inexperienced Hacker • API hacking for the Ac...
- Finding Your First Bug: Manual IDOR Hunting • Finding Your First Bug...
- IDOR Hunting With Firefox Containers • How to Use Firefox Con...
- (Nahamsec) Creating Wordlists for Hacking, Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More! • Creating Wordlists for...
Wordlists
- SecLists: github.com/danielmiessler/Sec... & github.com/danielmiessler/Sec...
- Fuzzdb:github.com/fuzzdb-project/fuz...
- SecLists Raft Words: github.com/danielmiessler/Sec...

Пікірлер: 142

@InsiderPhD 4 жыл бұрын

Hey everyone! The Top 10 API bugs referenced in this video will actually be coming out next week, so you could do some recon over this week, and start hacking next week :) If you want to learn more I can recommend this resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm but expect that video next week!

@TheJDebski 4 жыл бұрын

Your videos are so great! Thank you. Definitely my favourite channel about bug bounty

@mid-julyenglish1782 4 жыл бұрын

This is totally what I was looking for and here you just upload it. I am blessed. You blessed. Thank you and keep going.

@InsiderPhD 4 жыл бұрын

You're very welcome! Happy hacking!

@jonoheath4221 4 жыл бұрын

Thank you so much for your vids I am finally starting to get my head around APIs thanks to all your stuff. The hunt begins this weekend.

@mohittirkey7889 4 жыл бұрын

Amazing video Katie on the API enumeration , we can also use cluster bomb settings in the burp intruder as follows Payload Set-1 -> HTTP Methods like OPTIONS,GET,HEAD,POST,TRACE, DELETE etc. Payload Set-2 -> our wordlists

@InsiderPhD 4 жыл бұрын

Great suggestion! Especially with route api endpoints like /api/resource I think checking for additional HTTP methods is a great idea

@arpeetrathi 4 жыл бұрын

Amazing as usual. Keep posting once every week❤

@InsiderPhD 4 жыл бұрын

Thank you! Will do! See you next week :)

@danielwilcock7007 4 жыл бұрын

Amazing video Katie. Please, please keep this up. Your content is really helpful. For many months I have been a lurker watching guides and methodologies, then load up burp and impostor syndrome kicks in before I begin. Your content has actually allowed me to finally try to hack. Very simple and friendly!

@InsiderPhD 4 жыл бұрын

Thank you so much! It's going to be hard but you can do it! Just keep trying!

@hemanth1260 4 жыл бұрын

Really great content and i can understand how much effort you have put in to get this content out , Thank you for helping the community

@InsiderPhD 4 жыл бұрын

My pleasure! I love this community and I think it's my duty to give back to the community that helped me!

@aaryansaharan127 4 жыл бұрын

Really good content . You actually make videos with all dedication( I feel). Really you deserve very big thankyou!

@InsiderPhD 4 жыл бұрын

Thank you so much 😀

@zoroatokpas8761 3 жыл бұрын

Watched this video almost like 4 times still learning things

@PizzaParker-EAB3524 2 ай бұрын

Doc, thank you so much for these videos. As a new comer to bug bounties your videos have been a lifeline.

@danyelvillalba7 4 жыл бұрын

Thanks Katie!!!! I love your videos, please keep going with videos like this, Great content

@InsiderPhD 4 жыл бұрын

Thank you! Will do!

@PedroPerez-ii4dx 3 жыл бұрын

Thanks for such amaizing content. Trying to understand all this it's like an old saying from where I grew up "The hope of the one who grows coconuts". (meaning that sometime times look like a never ending goal)

@freeguy37 3 жыл бұрын

Really it's a very helpful video and yes, your all videos are a bunch of knowledge!

@00eunderscore70 Жыл бұрын

Awesome! Im a bit out of date of this one but appreciate these kind of videos!

@kishorebolt3065 4 жыл бұрын

You are doing great

@InsiderPhD 4 жыл бұрын

You're so welcome!

@juul216 2 жыл бұрын

Thanks, the audio is very clear

@DanielCamargo81 3 жыл бұрын

thanks a lot for sharing your knowledge, that is amazing!

@3rdaaa 4 жыл бұрын

Thank you so much for your video katie! still searching for my first bug here, hope to find it soon!

@InsiderPhD 4 жыл бұрын

Good luck! finding your first is all about preserving!

@emmanuelchinedum6998 2 жыл бұрын

Did you find yet?

@IteLuis 3 жыл бұрын

Awesome content, I hope you are doing great, keep it up the great work, cheers!!

@GonzoRust Жыл бұрын

you inspire the world. keep up the good work

@LeonidasDAce 4 жыл бұрын

I have found an IDOR 4 days ago but I didn't knew it was API based until seeing this video. Thank you so much Katie for this wonderful explanation. Learned a lot of things from it.

@InsiderPhD 4 жыл бұрын

Congrats on finding an IDOR! Was it your first bug? Glad I could help

@LeonidasDAce 4 жыл бұрын

@@InsiderPhD It was by 3rd bug actually. But i got my 1st 4digit bounty from this. Thank you so much Katie. Keep sharing things.

@InsiderPhD 4 жыл бұрын

Leonidas D. Ace wow! That’s incredible fantastic job :)

@LeonidasDAce 4 жыл бұрын

@@InsiderPhD Thank you Katie. Will be waiting for your next video

@zynnewton8687 3 жыл бұрын

finally i saw a interesting video in yt... this channel is very interesting and knowledgable i keep watching in your videos hopefully you create more vids in youtube that helps for beginner like me... im from philippines i have alot of question in my mind and if thats okey to contact you its an honor for me. :) your fan from philippines. godbless.

@helalsadat2077 16 сағат бұрын

I have watched the Full video , Thank you very much Katie , I am Regularly following this playlist of API Hacking

@abhhibirdawade9657 4 жыл бұрын

amazing katie as always............

@souhaillepacifique7572 4 жыл бұрын

hello woman ,i've just discovered your channel amazing content thank you and keep it up

@InsiderPhD 4 жыл бұрын

Welcome! Thank you for enjoying my content!

@digitaldina 4 жыл бұрын

This is so good!!! Pls pls pls do a graphql vid ❤️

@InsiderPhD 3 жыл бұрын

I was planning too but then I got beaten to it! I highly recommend Farah's video kzbin.info/www/bejne/hYKmmKCcqbpghck

@brunobeluco1187 4 жыл бұрын

Very nice video I learned so much with it, your explanation is amazing I would you like to ask you to increase the font on burp because it was very small :) Thank you very much for the video Katie

@InsiderPhD 4 жыл бұрын

Thank you for the feedback, definitely going to take that on board! I will make sure to make it a little bigger!

@cehdinh5132 4 жыл бұрын

Hi katie, thanks for great content in vidieo. This asw, wait next your vidieo 😍

@InsiderPhD 4 жыл бұрын

Yay! Thank you! It's really nice to hear such kind feedback, thank you for taking the time to let me know what you thought!

@roberthorn6707 4 жыл бұрын

Hi Katie! OMG! I don't know how I found your channel but I'm glad I did. My strengths lie in Cyber Security Analysis and this is a great piece for me to add. Your Pre-req video tho, did you change the name of it because I couldn't find it.......thanks for all you do!

@InsiderPhD 4 жыл бұрын

Due to popular demand on twitter people wanted this video first so they could do some enumeration this week and bug hunt next :) it will be up on Saturday

@roberthorn6707 4 жыл бұрын

@@InsiderPhD Yes ma`am! Sounds good to me. I've subscribed and turned on my notifications. And I've put it on my twitter page as well for the rest of the community to find and share!

@satyanarayansahoo693 3 жыл бұрын

Simply Excellent!!!

@faysalahmed7251 3 жыл бұрын

Your content is amazing. My request for you to do some live bug bounty hunting on live target in streaming. So that we can learn things from you in more practical way.

@InsiderPhD 3 жыл бұрын

I’d love to but there’s a lot of confidentiality issues in doing that if you check out the live API hacking and the teaching my mum to hack you can see me going over the process to assess a target!

@0x2shadow19 9 ай бұрын

This is a great video. I wish I could also get the slides that you are using.

@ismailramzan8927 4 жыл бұрын

Thanks for another Great Video :)

@InsiderPhD 4 жыл бұрын

My pleasure!

@fahadfaisal2383 2 жыл бұрын

Good work katie.

@Nothing-lh9hp 4 жыл бұрын

great video I have a little bit notice you could also use parma miner extension on burpsuite it's also geat extension to find the hidden parameter

@InsiderPhD 4 жыл бұрын

Yeah for sure! I didn't mention it because I couldn't get it to work on my demo API for some reason, but you're absolutely correct, I'll add a note in the description !

@Nothing-lh9hp 4 жыл бұрын

@@InsiderPhD thanks man so much for doing awesome content

@sharaddahal 2 жыл бұрын

Thank You Katie.

@karimdhrif6679 4 жыл бұрын

Thank you Katie!

@velurubharath8929 4 жыл бұрын

Great Video Katie.

@velurubharath8929 4 жыл бұрын

Hi Katie, I came across an api where I can change number in request to send otp for verification to other number. Can I report this? I am currently logged into that account.

@saqibarif7144 4 жыл бұрын

Hi great vedio I know you are also best researcher on hackerone it is better to disclose your solve report poc videos and define it's better for everyone love from Pakistan

@shuvamadhikari2662 2 жыл бұрын

Thanks Katie 😍 .

@josephnimsara3169 4 жыл бұрын

awesome video content best on youtube .and can you please continue Next bug series ☺☺

@InsiderPhD 4 жыл бұрын

Yup, right now I'm just moving between series that I find interesring!

@josephnimsara3169 4 жыл бұрын

@@InsiderPhD thank a lot are there any way to contact you please give us a method

@ezri5021 4 жыл бұрын

could see you use LastPass there. Im looking to use a password manager, do you recommend it? Can I trust that it’s secure?

@StrmNb 4 жыл бұрын

Great Video !

@ANKITPATEL-ju7ro 3 жыл бұрын

Awsome video!!!

@p0nch4x24 4 жыл бұрын

Excellent content as always, thanks for all your work and effort ,a question, how can I avoid '429 too many requests' responses in FFUF?

@InsiderPhD 4 жыл бұрын

Great question, you can limit the number of requests in ffuf using the -p argument ( -p Seconds of `delay` between requests, or a range of random delay. For example "0.1" or "0.1-2.0")

@p0nch4x24 4 жыл бұрын

@@InsiderPhD Oh, great!, thank you, Katie

@madmatt112 2 жыл бұрын

Following up a year later to share that newer versions of ffuf offer a “-limit” (or similar) flag to do the inverse - how many requests per second.

@green_quirk 4 жыл бұрын

A lots of love.... ❤❤❤❤❤

@kevinnyawakira4600 4 жыл бұрын

Amazing content

@hasnainabidkhanzada3754 3 жыл бұрын

What's your suggestion regarding using a type of OS for low hanging fruits hunting; Windows or Linux? Which is better? Especially from a recon perspective?

@ricjhill 3 жыл бұрын

I wish Intigriti sponsored a sports club. That logo would look good on a shirt.

@nyengnathan517 3 жыл бұрын

Wow. Thanks. Just one question, do you also use that windows machine in your bug bounty hunting?

@InsiderPhD 3 жыл бұрын

I use both! I am platform agnostic, I prefer the laptop for live events (lmao)! I prefer my Mac at the moment because it’s easier to film/work on for various reasons.

@nyengnathan517 3 жыл бұрын

@@InsiderPhD Cool. Thanks for the response. Looking forward for more informative videos from you. Cheers.

@ayoubaboutarbouch8683 4 жыл бұрын

liked before watching

@InsiderPhD 4 жыл бұрын

Awww :) thank you!

@charlyzha3772 2 жыл бұрын

nice tutorial

@Stas1983ful 3 жыл бұрын

Katie will you crate video-lesson, how you created your api-app.php?

@Loveless9619 4 жыл бұрын

My dear PhD, as already said in my last comment, I confirm the esteem I have for you you are always inspirational. I know you've already talked in the past about "How to choose the company where to start bug hunting" however I would like to know from you what you think about the infinite (looong very looong) hiring policies: what is in-scope, what attacks/checks are allowed and what is not . Honestly? It's a huge nuisance every time you have to read all that long text! Do you haven advice to cut off quickly this boring pre-phase? Thank you! Your Italian Guy, G.R. :)

@InsiderPhD 4 жыл бұрын

I'd love to tell you to just skip it! But it's super important as if you break those terms you're actually not protected legally and the company could report you to the police for breaking hacking rules. So I suggest you ALWAYS read it and make sure you NEVER go out of scope.

@mackeman1356 11 ай бұрын

thank you

@maxicorbs 4 жыл бұрын

Katie I've just looked for the video that you reference in the intro "Top 10 API bugs" but I can't find it?

@InsiderPhD 4 жыл бұрын

Due to popular demand this video came out first (I address it in the description) so the videos release schedules were swapped (so you could do recon this week, and hack next week), I can really recommend this for a great resource apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm

@techlearner3270 3 жыл бұрын

how to Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection in burp suite in any domain ???

@dukedud9743 5 күн бұрын

1- finding ur first bug 2- firefox containers 3- api top 10 4- api enumeration

@maxmayr1477 4 жыл бұрын

Hey I really like your video! But I have a little question. Am I allowed in bug bounty programms to send so many requests per second ?

@InsiderPhD 4 жыл бұрын

Usually there is a request to limit test to so many requests a second - check the program page. If not you should still be responsible but you are not limited (apart from maybe a firewall)

@jayu4348 3 жыл бұрын

Katie. Your awesome!!!! And ur cute❤️

@adelaidemiguel9117 Жыл бұрын

How do i get website that she used for demo so that i can practice with it? Someone help.

@ricardotech 4 жыл бұрын

In 1 to 10 you're 11 katie

@jacoblessard8213 2 жыл бұрын

I know this is year old but can someone please explain what it means when you're getting all these fake positives? I can enter a lot of these enumerations and it returns with a 200, however the responses seem entirely unchanged. On another note, when I try certain queries like anything almost with .json at the end it gives me 423 firebase locked by database owner. Also the reason I tried apoending.json to some of my requests is because when trying certain enums or when trying to execute json print commands in the body it prompted me to append .json to use the REST api. Someone please if you have any more knowledge I'd love to hear it.

@FraidoonFarrukh1 4 жыл бұрын

Hello, Sorry I can't find Top 10 API bugs in your channel. Can you post the link please? Thanks

@InsiderPhD 4 жыл бұрын

It will be out on Saturday :)

@Anonymous-wb8ke 4 жыл бұрын

I learn so many thing and also I'm from india Arjun is awesome it's my best frnd name 😂

@paulojr1384 Жыл бұрын

38:33 remember to add -rate (and the limit of requests/sec always required on the rules to bug hunting the target) tanks for the content @InsiderPhD and have a blessed 2023 💯

@InfoSecIntel 4 жыл бұрын

What’s the one command to enumerate graphql? I don’t remember it from the previous videos.

@InsiderPhD 4 жыл бұрын

Here you go : github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md

@InfoSecIntel 4 жыл бұрын

InsiderPhD thank you for being so helpful! So the “one command” you were talking about, is it section that says “URL encoded query to dump the database schema.” We can literally just copy and paste that and its useable? Again thank you so much

@InsiderPhD 4 жыл бұрын

Yup that’s the one

@InfoSecIntel 4 жыл бұрын

InsiderPhD amazing thank you!

@StephenOgu 4 жыл бұрын

Interesting

@lowtoe8030 4 жыл бұрын

I can personally attest that Arjun is great. It's played a part in nearly all my xss, redirect, and injection bounties. However I can't get the --headers option to work with it. Anyone else have luck with it?

@thimothy2461 4 жыл бұрын

Hii.. my name is Thimothy.. i am following you from last 2 weeks ur really did a great job and i would like to follow you in Instagram but i cant found a instagram link in the description.. Will u provide a link?

@InsiderPhD 4 жыл бұрын

Sorry I don't use instagram, only twitter I'm afraid!

@ca7986 4 жыл бұрын

♥️

@RAVIJATAV007 4 жыл бұрын

🦋

@maxicorbs 4 жыл бұрын

Wooo

@TheConstantLearnerGuy 2 жыл бұрын

Why you discontinued the series ?

@sachinmaurya3259 4 жыл бұрын

Hey when will you upload the video on BrupSuite :)

@InsiderPhD 4 жыл бұрын

Very soon, not 100% on timescales, but how to use intruder/repeater are next on my lists

@sachinmaurya3259 4 жыл бұрын

@@InsiderPhD Thank you :D Waiting for your video

@paulojr1384 Жыл бұрын

IDOR is a CSRF? tanks

@Safvanviber-xm3pn 6 ай бұрын

Wtf

@ravirajsinhzala9535 2 жыл бұрын

Not able to setup generic uni api can anyone help?

@InsiderPhD 2 жыл бұрын

You no longer need to! You can head to bughuntr.io and it's completely accessible in the browser

@helalsadat2077 16 сағат бұрын

for those who want to make word list of get a good word list i would recommend asset notes API routes word list it's really big and give really good results , Happy API Hacking

@AjayKumar-xl4jc 3 жыл бұрын

Mam tutorial video plsz

@InsiderPhD 3 жыл бұрын

Sure! What would you like me to cover, I love getting suggestions!

@sachinmaurya3259 4 жыл бұрын

1 Comment

@netbin 4 жыл бұрын

how its fine to use community edition, when it works slow AF

@InsiderPhD 4 жыл бұрын

Because it's a great way to get started and be more selective about your payloads, plus for a lot of people the cost is really too much, you can also use ffuf to fill in the gaps :)

@doge1931 9 ай бұрын

lotta IoT devices use SOAP

@user-hp8ih3dc8x 4 жыл бұрын

Hi, I'm big fan of your voice and contents. I have question. could you guide me? I'm not familiar with docker, so I don't know instructions. Now I have installed docker on kali, but I don't know next steps.(I'm trying to install the file you deployed (gist.github.com/InsiderPhD/f1eaa95b8479b54e8849beb596d669f5) Could you guide me? Thanks.

@InsiderPhD 4 жыл бұрын

I believe Kali ships with Python, you can check with: python -V If not you should install Python via the package manager: apt-get install python36 Then you need to do: pip install requests And finally you can do: python arjun.py ...

@realNAKAMI 4 жыл бұрын

putting dollars around user like $users$ for the url to iterate over a word list is kinda misleading. should've used a suitable variable name like $word$.