1
00:00:00,630 --> 00:00:01,590
‫Instructor: Hi.

2
00:00:01,590 --> 00:00:04,260
‫Within this challenge we're just gonna take a look

3
00:00:04,260 --> 00:00:06,420
‫at the API5.

4
00:00:06,420 --> 00:00:09,240
‫So we're already halfway over there.

5
00:00:09,240 --> 00:00:10,073
‫So let's see.

6
00:00:10,073 --> 00:00:13,710
‫This is about broken function level authorization.

7
00:00:13,710 --> 00:00:16,170
‫It sounds awful like that.

8
00:00:16,170 --> 00:00:18,930
‫The first challenge that we have completed.

9
00:00:18,930 --> 00:00:19,763
‫Right?

10
00:00:19,763 --> 00:00:22,920
‫And it's technically something like that

11
00:00:22,920 --> 00:00:25,320
‫but we are gonna see the differences.

12
00:00:25,320 --> 00:00:29,790
‫It says that you can register yourself as a user.

13
00:00:29,790 --> 00:00:30,623
‫That's it.

14
00:00:30,623 --> 00:00:32,163
‫Or is there something more?

15
00:00:33,030 --> 00:00:38,030
‫So it says that I heard administrator logins often

16
00:00:38,220 --> 00:00:40,740
‫but uses different route.

17
00:00:40,740 --> 00:00:41,820
‫Okay.

18
00:00:41,820 --> 00:00:46,650
‫So the key thing over here is that different route

19
00:00:46,650 --> 00:00:47,610
‫or different route,

20
00:00:47,610 --> 00:00:49,770
‫however you may want to pronounce it.

21
00:00:49,770 --> 00:00:51,180
‫And as you can see it says

22
00:00:51,180 --> 00:00:55,130
‫that you're gonna have to post to this, okay, the user.

23
00:00:55,130 --> 00:00:57,210
‫If we use a different route

24
00:00:57,210 --> 00:00:59,610
‫then we are gonna get something

25
00:00:59,610 --> 00:01:01,650
‫like an administrator, right.

26
00:01:01,650 --> 00:01:02,760
‫Or something like

27
00:01:02,760 --> 00:01:06,453
‫maybe moderator, coordinator, something like that.

28
00:01:07,500 --> 00:01:09,150
‫So over here in the get,

29
00:01:09,150 --> 00:01:14,150
‫we're just gonna send an API ID or a user ID.

30
00:01:14,280 --> 00:01:16,110
‫So this sounds like

31
00:01:16,110 --> 00:01:18,780
‫and it works like the first challenge

32
00:01:18,780 --> 00:01:20,280
‫that we have completed really.

33
00:01:20,280 --> 00:01:22,953
‫So I'm gonna just go over here and test us.

34
00:01:23,850 --> 00:01:26,640
‫So I'm gonna go to create user.

35
00:01:26,640 --> 00:01:29,130
‫For the headers we're not gonna change anything

36
00:01:29,130 --> 00:01:32,010
‫but for the username and password

37
00:01:32,010 --> 00:01:34,890
‫for the body we're gonna have to change something, right.

38
00:01:34,890 --> 00:01:38,700
‫So we have been given something like test user.

39
00:01:38,700 --> 00:01:42,450
‫Test 1, 2, 3 or you can just write it on your own.

40
00:01:42,450 --> 00:01:45,660
‫I'm just gonna go via test user three.

41
00:01:45,660 --> 00:01:48,540
‫Okay, I'm not gonna change the password.

42
00:01:48,540 --> 00:01:50,400
‫Name test, user address, mobile.

43
00:01:50,400 --> 00:01:52,440
‫No, I'm not gonna change any of this.

44
00:01:52,440 --> 00:01:54,180
‫I'm just gonna send this and here you go.

45
00:01:54,180 --> 00:01:56,370
‫We get an ID back.

46
00:01:56,370 --> 00:01:59,220
‫So this should be ID two.

47
00:01:59,220 --> 00:02:00,053
‫Great.

48
00:02:00,053 --> 00:02:01,470
‫Now in the get user

49
00:02:01,470 --> 00:02:04,770
‫in the next endpoint I can just try

50
00:02:04,770 --> 00:02:07,560
‫to get the user ID.

51
00:02:07,560 --> 00:02:10,560
‫Because I already have the authentication key

52
00:02:10,560 --> 00:02:12,480
‫as usual in the tests.

53
00:02:12,480 --> 00:02:16,830
‫So it should have been saved to the get user endpoint.

54
00:02:16,830 --> 00:02:19,890
‫If it's not you can just look at that logs.

55
00:02:19,890 --> 00:02:21,270
‫Okay, but here you go.

56
00:02:21,270 --> 00:02:23,610
‫It's saved in my case.

57
00:02:23,610 --> 00:02:28,610
‫So since I already have that, okay, I can open the logs

58
00:02:29,220 --> 00:02:31,770
‫and just compare it if you want.

59
00:02:31,770 --> 00:02:33,450
‫Okay, here you go.

60
00:02:33,450 --> 00:02:36,870
‫This is the API5 authentication key.

61
00:02:36,870 --> 00:02:39,240
‫If it's in your case not saved

62
00:02:39,240 --> 00:02:42,480
‫then you can just automatically override it

63
00:02:42,480 --> 00:02:44,700
‫by copying and pasting over here.

64
00:02:44,700 --> 00:02:45,630
‫And here you go.

65
00:02:45,630 --> 00:02:47,190
‫In the body we don't have anything.

66
00:02:47,190 --> 00:02:51,540
‫If I send this, I can get this ID details back.

67
00:02:51,540 --> 00:02:52,470
‫Great.

68
00:02:52,470 --> 00:02:55,560
‫Now in the first challenge, we already

69
00:02:55,560 --> 00:02:57,720
‫have seen something like that.

70
00:02:57,720 --> 00:03:00,240
‫So maybe we can try to change the idea

71
00:03:00,240 --> 00:03:01,830
‫over here like this.

72
00:03:01,830 --> 00:03:06,480
‫Okay, like if we change it to one, we don't get the details.

73
00:03:06,480 --> 00:03:09,150
‫So they have fixed that issue.

74
00:03:09,150 --> 00:03:12,450
‫So it says that username or password incorrect.

75
00:03:12,450 --> 00:03:16,200
‫So the API at the backend is checking to see

76
00:03:16,200 --> 00:03:19,740
‫if the authentication token matches with the ID.

77
00:03:19,740 --> 00:03:21,510
‫So far so good.

78
00:03:21,510 --> 00:03:23,400
‫Now if I change two ID

79
00:03:23,400 --> 00:03:26,580
‫to something else I don't get it either.

80
00:03:26,580 --> 00:03:30,180
‫Like minus 1, 0, 1, 2, 3.

81
00:03:30,180 --> 00:03:32,820
‫But if I do the two then I can get this

82
00:03:32,820 --> 00:03:36,120
‫because the authentication key actually matches

83
00:03:36,120 --> 00:03:37,710
‫with the ID too.

84
00:03:37,710 --> 00:03:39,510
‫But if you remember the clue,

85
00:03:39,510 --> 00:03:40,920
‫if you remember the hint,

86
00:03:40,920 --> 00:03:42,720
‫it says something about routes.

87
00:03:42,720 --> 00:03:45,063
‫So I'm just gonna change this to admin.

88
00:03:46,110 --> 00:03:48,420
‫As you can see, we're not still getting it.

89
00:03:48,420 --> 00:03:51,090
‫I'm just gonna change the ID one more time.

90
00:03:51,090 --> 00:03:52,560
‫We're not getting it.

91
00:03:52,560 --> 00:03:54,570
‫Maybe just admin.

92
00:03:54,570 --> 00:03:56,310
‫Nope, we're not getting it.

93
00:03:56,310 --> 00:03:57,900
‫So we're gonna have to try this

94
00:03:57,900 --> 00:04:01,440
‫because we know we ought to change the route.

95
00:04:01,440 --> 00:04:04,050
‫Right, so I'm just going send this to Burp Suite.

96
00:04:04,050 --> 00:04:06,090
‫I'm gonna give some proxy.

97
00:04:06,090 --> 00:04:08,490
‫Yeah, it's already been edited over here.

98
00:04:08,490 --> 00:04:10,410
‫So I'm gonna open the Burp Suite.

99
00:04:10,410 --> 00:04:12,570
‫I'm gonna turn the intercept on

100
00:04:12,570 --> 00:04:17,310
‫and I'm just gonna send this, okay, in a regular way.

101
00:04:17,310 --> 00:04:19,560
‫And in the Burp Suite I'm just gonna send this

102
00:04:19,560 --> 00:04:22,050
‫to repeater as usual because we are gonna repeat

103
00:04:22,050 --> 00:04:24,030
‫this process a little bit.

104
00:04:24,030 --> 00:04:28,800
‫And if I send this, I can get the second ID.

105
00:04:28,800 --> 00:04:30,780
‫But if I change the route,

106
00:04:30,780 --> 00:04:35,460
‫if I change this user to something else

107
00:04:35,460 --> 00:04:36,510
‫then we should get it.

108
00:04:36,510 --> 00:04:38,160
‫This should be the vulnerability

109
00:04:38,160 --> 00:04:42,420
‫as long as we consider the documentation a reliable source.

110
00:04:42,420 --> 00:04:46,170
‫So I'm just gonna delete this and say admin, for example.

111
00:04:46,170 --> 00:04:48,840
‫We're not getting it, as you can see.

112
00:04:48,840 --> 00:04:50,880
‫Maybe users.

113
00:04:50,880 --> 00:04:52,350
‫Yeah, here you go.

114
00:04:52,350 --> 00:04:55,800
‫In the second trial I found it, okay.

115
00:04:55,800 --> 00:05:00,570
‫If I change this to users, if I change this route to users

116
00:05:00,570 --> 00:05:05,570
‫then I can get the other users' details as well.

117
00:05:05,820 --> 00:05:09,330
‫So this happens by the way in real life as well

118
00:05:09,330 --> 00:05:12,840
‫because they think that, yeah, nobody knows

119
00:05:12,840 --> 00:05:15,240
‫this user's route exists.

120
00:05:15,240 --> 00:05:17,040
‫Only the developer knows.

121
00:05:17,040 --> 00:05:17,873
‫So why not?

122
00:05:17,873 --> 00:05:20,040
‫We just put everything over there.

123
00:05:20,040 --> 00:05:23,280
‫And for development purposes we can just use this.

124
00:05:23,280 --> 00:05:24,540
‫But the idea over here

125
00:05:24,540 --> 00:05:28,350
‫is that we're still using the same authorization token

126
00:05:28,350 --> 00:05:30,750
‫and should have checked that.

127
00:05:30,750 --> 00:05:32,460
‫But it doesn't.

128
00:05:32,460 --> 00:05:35,940
‫Okay, and we are getting this.

129
00:05:35,940 --> 00:05:40,140
‫We're getting this all details about all users.

130
00:05:40,140 --> 00:05:44,790
‫And of course if we send this to intruder, okay.

131
00:05:44,790 --> 00:05:46,740
‫If we send this to intruder.

132
00:05:46,740 --> 00:05:49,350
‫If we just change the route

133
00:05:49,350 --> 00:05:51,330
‫with a payload with a list

134
00:05:51,330 --> 00:05:54,570
‫then we can just do it like we have gotten

135
00:05:54,570 --> 00:05:56,580
‫this user out of luck.

136
00:05:56,580 --> 00:05:58,947
‫Right, I have just tried this

137
00:05:58,947 --> 00:06:00,360
‫and it happened.

138
00:06:00,360 --> 00:06:02,340
‫But if I add this as a parameter

139
00:06:02,340 --> 00:06:04,590
‫using this sniper attack type,

140
00:06:04,590 --> 00:06:07,560
‫I can come over here and I can use a word list

141
00:06:07,560 --> 00:06:09,660
‫or I can add one by one.

142
00:06:09,660 --> 00:06:10,800
‫Let's do an example.

143
00:06:10,800 --> 00:06:14,340
‫Like I can just add anything that comes to my mind.

144
00:06:14,340 --> 00:06:16,860
‫Admin, administrator, user,

145
00:06:16,860 --> 00:06:19,830
‫users, passwords, something like that.

146
00:06:19,830 --> 00:06:24,360
‫Or you can just try to search wordlist in Kali Linux.

147
00:06:24,360 --> 00:06:27,543
‫You can find it and just use them as well.

148
00:06:28,620 --> 00:06:33,620
‫Like maybe we can try password or something like that.

149
00:06:33,960 --> 00:06:36,900
‫Just use whatever you want like

150
00:06:36,900 --> 00:06:39,840
‫all users, admin, administrator.

151
00:06:39,840 --> 00:06:44,010
‫If you start this attack, okay, it will just try them.

152
00:06:44,010 --> 00:06:48,210
‫And as you can see, we got the users over here.

153
00:06:48,210 --> 00:06:50,430
‫This is not luck right now.

154
00:06:50,430 --> 00:06:52,890
‫We have gotten users out of luck.

155
00:06:52,890 --> 00:06:56,280
‫I accept it but this is not luck.

156
00:06:56,280 --> 00:07:00,390
‫This is just trying other wordlist, other payloads,

157
00:07:00,390 --> 00:07:05,390
‫or other routes that can be embedded in the API.

158
00:07:06,540 --> 00:07:07,500
‫And here you go.

159
00:07:07,500 --> 00:07:10,260
‫We found it and we got the flag.

160
00:07:10,260 --> 00:07:12,930
‫So this is different than the first challenge

161
00:07:12,930 --> 00:07:14,610
‫because in the first challenge we have

162
00:07:14,610 --> 00:07:16,560
‫just changed one parameter

163
00:07:16,560 --> 00:07:19,290
‫but over here we are changing the route

164
00:07:19,290 --> 00:07:23,370
‫and using the same authorization token to get the details

165
00:07:23,370 --> 00:07:27,240
‫of every users in the database.

166
00:07:27,240 --> 00:07:28,073
‫Great.

167
00:07:28,073 --> 00:07:31,290
‫Now if you remember this

168
00:07:31,290 --> 00:07:32,880
‫then it's going to be okay

169
00:07:32,880 --> 00:07:36,480
‫because you can just use the this technique

170
00:07:36,480 --> 00:07:41,480
‫to pen test against every possible API that's out there.

171
00:07:41,760 --> 00:07:43,920
‫If you think that there is a slight chance

172
00:07:43,920 --> 00:07:46,110
‫that you can find something like that

173
00:07:46,110 --> 00:07:49,770
‫it would worth a lot of bug bounty money.

174
00:07:49,770 --> 00:07:50,603
‫Great.

175
00:07:50,603 --> 00:07:52,650
‫Now we are gonna stop here

176
00:07:52,650 --> 00:07:57,030
‫and I'm not even going to just delete the proxy

177
00:07:57,030 --> 00:07:59,280
‫because we need it as far as I see

178
00:07:59,280 --> 00:08:00,873
‫in the next challenge as well.