1
00:00:00,570 --> 00:00:02,520
‫Instructor: Hi, within this lecture,

2
00:00:02,520 --> 00:00:03,570
‫we are gonna take a look

3
00:00:03,570 --> 00:00:06,300
‫at the API6 challenge.

4
00:00:06,300 --> 00:00:07,856
‫Now, we are at the

5
00:00:07,856 --> 00:00:09,060
‫API6.

6
00:00:09,060 --> 00:00:12,060
‫It says the Mass Assignment.

7
00:00:12,060 --> 00:00:13,830
‫And uh we have a clue.

8
00:00:13,830 --> 00:00:16,890
‫We have a hint again for the Mass Assignment.

9
00:00:16,890 --> 00:00:17,723
‫It says that,

10
00:00:17,723 --> 00:00:19,770
‫"welcome to our store.

11
00:00:19,770 --> 00:00:21,390
‫We will give you credits

12
00:00:21,390 --> 00:00:23,250
‫if you behave nicely.

13
00:00:23,250 --> 00:00:26,310
‫Our credit management is super secure."

14
00:00:26,310 --> 00:00:27,390
‫Great.

15
00:00:27,390 --> 00:00:30,120
‫Now if we sign up for a an account,

16
00:00:30,120 --> 00:00:33,810
‫like if we sign up with a username and a password,

17
00:00:33,810 --> 00:00:37,620
‫I believe we're gonna get something back

18
00:00:37,620 --> 00:00:38,970
‫like a credit back.

19
00:00:38,970 --> 00:00:40,110
‫And let's see.

20
00:00:40,110 --> 00:00:42,420
‫So we already have two endpoints over here.

21
00:00:42,420 --> 00:00:44,640
‫We just gonna give the username, and password,

22
00:00:44,640 --> 00:00:47,700
‫and address, and mobile number.

23
00:00:47,700 --> 00:00:50,520
‫Then we can just get the user's details

24
00:00:50,520 --> 00:00:51,990
‫in the next endpoint.

25
00:00:51,990 --> 00:00:53,970
‫So this is pretty standard.

26
00:00:53,970 --> 00:00:56,070
‫So I'm just gonna come over here

27
00:00:56,070 --> 00:00:59,070
‫to create user and go to body.

28
00:00:59,070 --> 00:01:00,840
‫And here you go.

29
00:01:00,840 --> 00:01:02,010
‫In the test again,

30
00:01:02,010 --> 00:01:05,520
‫we get an authentication key once we do that.

31
00:01:05,520 --> 00:01:07,860
‫So I'm just gonna go for the name,

32
00:01:07,860 --> 00:01:09,603
‫username, and password.

33
00:01:11,256 --> 00:01:12,720
‫And name, username,

34
00:01:12,720 --> 00:01:14,790
‫I'm just gonna write my own name.

35
00:01:14,790 --> 00:01:17,910
‫Password, I'm just gonna write atil123.

36
00:01:17,910 --> 00:01:21,720
‫If we do that, we get the name, username, and id.

37
00:01:21,720 --> 00:01:22,553
‫Okay.

38
00:01:22,553 --> 00:01:24,570
‫So if I go to get user,

39
00:01:24,570 --> 00:01:27,090
‫if I just send this as a request,

40
00:01:27,090 --> 00:01:27,923
‫and by the way

41
00:01:27,923 --> 00:01:31,260
‫over here we see something like "userme".

42
00:01:31,260 --> 00:01:32,550
‫So let's try to see

43
00:01:32,550 --> 00:01:34,170
‫if there's something like that.

44
00:01:34,170 --> 00:01:35,580
‫It asks for an id,

45
00:01:35,580 --> 00:01:38,220
‫but over here we see userme.

46
00:01:38,220 --> 00:01:40,740
‫Maybe it works with the authentication key.

47
00:01:40,740 --> 00:01:42,150
‫Yeah, here you go.

48
00:01:42,150 --> 00:01:43,830
‫So I believe the developer

49
00:01:43,830 --> 00:01:45,270
‫has changed this a little bit

50
00:01:45,270 --> 00:01:47,520
‫because we don't see any address or mobile.

51
00:01:47,520 --> 00:01:48,720
‫Nor over here.

52
00:01:48,720 --> 00:01:51,000
‫But we see id, name, username.

53
00:01:51,000 --> 00:01:52,050
‫Again, it doesn't matter

54
00:01:52,050 --> 00:01:54,240
‫because if I try to change

55
00:01:54,240 --> 00:01:57,540
‫this to one to something like that

56
00:01:57,540 --> 00:01:59,400
‫as you can see we are not getting this.

57
00:01:59,400 --> 00:02:01,920
‫I believe we should stick to the latest version

58
00:02:01,920 --> 00:02:05,070
‫and just write it or run this as me.

59
00:02:05,070 --> 00:02:06,270
‫And here you go.

60
00:02:06,270 --> 00:02:07,590
‫The idea over here is

61
00:02:07,590 --> 00:02:10,560
‫that we have an extra parameter

62
00:02:10,560 --> 00:02:12,720
‫over here called "credit".

63
00:02:12,720 --> 00:02:13,553
‫Okay.

64
00:02:13,553 --> 00:02:17,340
‫And it gets it with my authentication key.

65
00:02:17,340 --> 00:02:19,680
‫And as far as the body concerned,

66
00:02:19,680 --> 00:02:21,660
‫we are not sending anything back.

67
00:02:21,660 --> 00:02:24,660
‫We are getting the right ID name and username,

68
00:02:24,660 --> 00:02:27,900
‫but we are getting the credit as zero.

69
00:02:27,900 --> 00:02:28,950
‫Okay.

70
00:02:28,950 --> 00:02:31,140
‫So what can we do?

71
00:02:31,140 --> 00:02:33,090
‫We can try to send this name,

72
00:02:33,090 --> 00:02:34,890
‫username, and password,

73
00:02:34,890 --> 00:02:38,220
‫but maybe we can try to add the credit

74
00:02:38,220 --> 00:02:40,560
‫as a parameter to ourselves.

75
00:02:40,560 --> 00:02:43,320
‫Like, we can just send this credit

76
00:02:43,320 --> 00:02:46,770
‫even if it's not asked us to do, right?

77
00:02:46,770 --> 00:02:48,540
‫We can't try that.

78
00:02:48,540 --> 00:02:51,190
‫We can try to create a new user with it

79
00:02:52,050 --> 00:02:54,510
‫and maybe it'll work, maybe it'll not.

80
00:02:54,510 --> 00:02:55,530
‫Let's see.

81
00:02:55,530 --> 00:02:56,820
‫So what I'm going to do,

82
00:02:56,820 --> 00:02:58,770
‫I'm going to come over here.

83
00:02:58,770 --> 00:03:01,410
‫So aside from the name, username, and password,

84
00:03:01,410 --> 00:03:02,710
‫these are all

85
00:03:04,950 --> 00:03:06,540
‫required parameters.

86
00:03:06,540 --> 00:03:09,720
‫If we don't send them, it won't work.

87
00:03:09,720 --> 00:03:14,070
‫But maybe if we add some new parameter

88
00:03:14,070 --> 00:03:17,820
‫that we know that it exists in the database,

89
00:03:17,820 --> 00:03:19,650
‫maybe it'll work.

90
00:03:19,650 --> 00:03:21,780
‫So I'm gonna change the name and user name.

91
00:03:21,780 --> 00:03:24,150
‫Okay, I'm gonna change it to Atlas.

92
00:03:24,150 --> 00:03:26,310
‫And I'm gonna add a new parameter.

93
00:03:26,310 --> 00:03:28,410
‫I'm gonna say credit.

94
00:03:28,410 --> 00:03:30,540
‫And for the credit I'm just gonna write

95
00:03:30,540 --> 00:03:33,930
‫some random number like 500,

96
00:03:33,930 --> 00:03:34,763
‫okay?

97
00:03:34,763 --> 00:03:36,870
‫It doesn't matter what you write,

98
00:03:36,870 --> 00:03:39,270
‫but don't forget about Tacomas

99
00:03:39,270 --> 00:03:41,010
‫and make sure that you

100
00:03:41,010 --> 00:03:43,320
‫have respected the JSON format.

101
00:03:43,320 --> 00:03:45,480
‫Otherwise it won't work.

102
00:03:45,480 --> 00:03:46,890
‫So if I send this,

103
00:03:46,890 --> 00:03:49,530
‫okay, I get an ID back, great.

104
00:03:49,530 --> 00:03:51,300
‫Maybe I can just go ahead

105
00:03:51,300 --> 00:03:52,800
‫and try to

106
00:03:52,800 --> 00:03:53,633
‫see

107
00:03:53,633 --> 00:03:55,620
‫if this authentication token has been renewed.

108
00:03:55,620 --> 00:03:56,520
‫Yep.

109
00:03:56,520 --> 00:03:58,680
‫Now I will send this

110
00:03:58,680 --> 00:03:59,730
‫and here you go.

111
00:03:59,730 --> 00:04:01,530
‫Now I have the credit.

112
00:04:01,530 --> 00:04:02,970
‫Okay, I have the atlas,

113
00:04:02,970 --> 00:04:05,820
‫I have the credit, and I have the flag.

114
00:04:05,820 --> 00:04:06,810
‫Now what did I do?

115
00:04:06,810 --> 00:04:10,380
‫I have seen the credit parameter in the get.

116
00:04:10,380 --> 00:04:11,760
‫So I have told that

117
00:04:11,760 --> 00:04:13,290
‫why not

118
00:04:13,290 --> 00:04:17,550
‫just add this as a parameter in the post request as well?

119
00:04:17,550 --> 00:04:20,640
‫So, it should have checked against it,

120
00:04:20,640 --> 00:04:21,990
‫but it didn't.

121
00:04:21,990 --> 00:04:24,630
‫And like in the real life

122
00:04:24,630 --> 00:04:26,580
‫there are a lot of APIs

123
00:04:26,580 --> 00:04:29,910
‫you can find it like this admin, true. okay?

124
00:04:29,910 --> 00:04:31,650
‫Because they're all sending

125
00:04:31,650 --> 00:04:34,500
‫this by default admin, false.

126
00:04:34,500 --> 00:04:37,020
‫Even if you don't see it,

127
00:04:37,020 --> 00:04:39,660
‫you can try to add this.

128
00:04:39,660 --> 00:04:42,480
‫So I believe this was a great example

129
00:04:42,480 --> 00:04:45,900
‫of the Mass Assignment vulnerability.

130
00:04:45,900 --> 00:04:47,610
‫So rather than the admin,

131
00:04:47,610 --> 00:04:49,920
‫of course we are sending credit 500.

132
00:04:49,920 --> 00:04:51,090
‫But again,

133
00:04:51,090 --> 00:04:52,980
‫if you don't wanna do it in the postman

134
00:04:52,980 --> 00:04:55,860
‫you can also send this to Bur Suite, okay?

135
00:04:55,860 --> 00:04:58,230
‫You can see the thing over here.

136
00:04:58,230 --> 00:05:00,360
‫You can just send this to repeater

137
00:05:00,360 --> 00:05:03,510
‫and try and repeat the process over there

138
00:05:03,510 --> 00:05:05,550
‫so that you can see it yourself.

139
00:05:05,550 --> 00:05:07,410
‫So I'm gonna turn this off

140
00:05:07,410 --> 00:05:10,113
‫because we already have seen that.

141
00:05:11,010 --> 00:05:11,843
‫Great.

142
00:05:11,843 --> 00:05:12,676
‫Now

143
00:05:12,676 --> 00:05:14,700
‫we are good to go

144
00:05:14,700 --> 00:05:16,290
‫with the API6.

145
00:05:16,290 --> 00:05:17,370
‫Now I'm gonna stop here

146
00:05:17,370 --> 00:05:19,173
‫and continue within the next one.