Рет қаралды 58,149
This week we cover how to do API enumeration/API Recon. I show you how to find new API endpoints using tools like Burp Intruder and Ffuf, as well as how to find hidden parameters using Arjun. Including how to act on this data and use it to find bugs!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
This episode was due to come out next week, but due to popular demand I have released it early for you folks, hopefully, you'll have some good data this week that you can hack on next week! Sorry for the references to next week's video! In this video we go through some theory first and do a little refresh on what an API is and how they word, then we go into the theory of recon before I do some live demos hacking on a fake API. I'd love to have done this video on a real bug bounty target, but with recon there's a lot I could miss or disclose on accident!
Do you want to support me? Why not buy me a coffee? ko-fi.com/insiderphd
Got questions? I have answers, Tweet at me / insiderphd
Timestamps
0:00 Introduction to the video & catchup
7:29 Introduction to API enumeration
16:15 Easy API Enumeration
20:01 Creating Wordlists
25:05 DEMO: Burp Intruder
35:07 DEMO: Ffuf
41:38 DEMO: Arjun
48:27 Analysing Arjun results
50:07 DEMO: Practical bug hunting
Commands I run
- Ffuf: ffuf -w wordlist.txt -u 192.168.1.11:8000/api/FUZZ/6 -o output.txt -x 127.0.0.1:8080
- Arjun (-x parameter sends to burp, ignore if you do not want to send requests to burp or you use the original version): python arjun.py -u 192.168.1.11:8000/api/users --post -o data/result.json -x 127.0.0.1:8080
Links to the stuff I talk about
Example APIs
- My Fake API: github.com/InsiderPhD/example...
- Twitter: / api-reference
- Facebook: / graph-api
- Yahoo: developer.yahoo.com/api/
Tools
- Ffuf github.com/ffuf/ffuf
- Arjun (my version) github.com/InsiderPhD/Arjun
- Arjun (original) github.com/s0md3v/Arjun
- Arjun dockerfile gist.github.com/InsiderPhD/f1...
Videos
- Finding Your First Bug: Finding Bugs in APIs • Finding Your First Bug...
- API Hacking for the Actually Pretty Inexperienced Hacker • API hacking for the Ac...
- Finding Your First Bug: Manual IDOR Hunting • Finding Your First Bug...
- IDOR Hunting With Firefox Containers • How to Use Firefox Con...
- (Nahamsec) Creating Wordlists for Hacking, Pentesting & Bug Bounty Hunting Using Seclists, Bigquery, and More! • Creating Wordlists for...
Wordlists
- SecLists: github.com/danielmiessler/Sec... & github.com/danielmiessler/Sec...
- Fuzzdb:github.com/fuzzdb-project/fuz...
- SecLists Raft Words: github.com/danielmiessler/Sec...