1
00:00:00,480 --> 00:00:01,320
‫Instructor: Hi.

2
00:00:01,320 --> 00:00:06,120
‫Within this section we are gonna focus on API security.

3
00:00:06,120 --> 00:00:08,820
‫So we're gonna see what kind of vulnerabilities

4
00:00:08,820 --> 00:00:11,670
‫that we can find with inside of APIs

5
00:00:11,670 --> 00:00:14,280
‫and also how to exploit them,

6
00:00:14,280 --> 00:00:16,680
‫and also how to secure them as well.

7
00:00:16,680 --> 00:00:20,580
‫So you can gain bug bounties out of those vulnerabilities

8
00:00:20,580 --> 00:00:24,120
‫and also protect your own APIs as well.

9
00:00:24,120 --> 00:00:28,140
‫So we're gonna use a real life example for that by the way

10
00:00:28,140 --> 00:00:33,140
‫it's called vAPI or V API, Vulnerability Vulnerable API.

11
00:00:34,650 --> 00:00:36,360
‫I'm gonna tell you all about it

12
00:00:36,360 --> 00:00:38,340
‫and I'm gonna show you how to set it up,

13
00:00:38,340 --> 00:00:39,870
‫don't worry about it.

14
00:00:39,870 --> 00:00:41,910
‫But right now before we start

15
00:00:41,910 --> 00:00:44,400
‫you have to know what an API is.

16
00:00:44,400 --> 00:00:48,030
‫So API stands for Application Programming Interface.

17
00:00:48,030 --> 00:00:51,600
‫It's kind of a programmer, it's kind of a software.

18
00:00:51,600 --> 00:00:55,110
‫When we do a request, when we send some parameters

19
00:00:55,110 --> 00:00:58,260
‫or send some request to it, we get a response back

20
00:00:58,260 --> 00:01:02,670
‫and we can use it inside of both the web applications

21
00:01:02,670 --> 00:01:06,960
‫or websites, and also mobile applications as well.

22
00:01:06,960 --> 00:01:11,460
‫So, when we have a vulnerability inside of our API

23
00:01:11,460 --> 00:01:14,250
‫it actually affects the web website

24
00:01:14,250 --> 00:01:17,220
‫or the web application, mobile application.

25
00:01:17,220 --> 00:01:19,080
‫It affects everything.

26
00:01:19,080 --> 00:01:21,600
‫So it's a very crucial step

27
00:01:21,600 --> 00:01:24,780
‫or it's a very crucial thing to secure the APIs

28
00:01:24,780 --> 00:01:26,910
‫and that's what we are going to focus on

29
00:01:26,910 --> 00:01:28,860
‫during this section.

30
00:01:28,860 --> 00:01:31,560
‫In order to let you imagine

31
00:01:31,560 --> 00:01:34,710
‫or in order to let you show what an API is,

32
00:01:34,710 --> 00:01:37,470
‫I'm going to demonstrate a few examples.

33
00:01:37,470 --> 00:01:39,150
‫But just so you know

34
00:01:39,150 --> 00:01:42,780
‫that this section will be available both

35
00:01:42,780 --> 00:01:46,530
‫on web application Pentesting course of mine,

36
00:01:46,530 --> 00:01:50,040
‫and also mobile Pentesting course as well

37
00:01:50,040 --> 00:01:53,940
‫because it actually affects both of them.

38
00:01:53,940 --> 00:01:56,670
‫So let me talk about this

39
00:01:56,670 --> 00:02:01,260
‫V API or vulnerable API, or vAPI thingy.

40
00:02:01,260 --> 00:02:04,590
‫So this is a GitHub repository as you can see

41
00:02:04,590 --> 00:02:09,343
‫and somebody named roottusk created this vAPI or V API

42
00:02:11,070 --> 00:02:15,300
‫in order for us to understand the vulnerabilities inside

43
00:02:15,300 --> 00:02:17,580
‫of the API and practice them.

44
00:02:17,580 --> 00:02:20,443
‫So we are thankful to roottusk.

45
00:02:20,443 --> 00:02:22,650
‫So this is an open source project

46
00:02:22,650 --> 00:02:26,280
‫and we are going to actually install this on a real server

47
00:02:26,280 --> 00:02:28,710
‫and we are going to do a real web pen testing

48
00:02:28,710 --> 00:02:33,710
‫or real API pen testing in a real life example.

49
00:02:33,930 --> 00:02:37,260
‫Yeah, so I found out this root task guy

50
00:02:37,260 --> 00:02:41,147
‫has created this very magnificent API CTF

51
00:02:42,690 --> 00:02:44,640
‫that I tried to solve it

52
00:02:44,640 --> 00:02:47,010
‫and I just decided to show it to you guys

53
00:02:47,010 --> 00:02:49,653
‫so that you can understand it in a better way.

54
00:02:50,700 --> 00:02:54,270
‫So let me show you what a JSON format is.

55
00:02:54,270 --> 00:02:58,170
‫So if you are a developer, you probably know this, okay?

56
00:02:58,170 --> 00:03:00,660
‫You don't have to to open Google or something like that.

57
00:03:00,660 --> 00:03:02,610
‫I'm just showing you this.

58
00:03:02,610 --> 00:03:07,610
‫So this JSON format thing is some kind of format

59
00:03:08,400 --> 00:03:12,570
‫that we get the information back from the API.

60
00:03:12,570 --> 00:03:15,060
‫It doesn't have to be necessarily JSON,

61
00:03:15,060 --> 00:03:19,620
‫it can be XML and stuff like that, but it generally is.

62
00:03:19,620 --> 00:03:22,380
‫So maybe you should know what a JSON is.

63
00:03:22,380 --> 00:03:25,440
‫It's just JavaScript object notation.

64
00:03:25,440 --> 00:03:28,860
‫So it's kind of a notation, it's kind of a syntax.

65
00:03:28,860 --> 00:03:31,197
‫And as you can see, this is an example JSON

66
00:03:31,197 --> 00:03:36,197
‫where we see the ID name, picture, and stuff like that.

67
00:03:36,210 --> 00:03:38,670
‫So when we send a request to the API

68
00:03:38,670 --> 00:03:41,550
‫that we are going to be installing on our server,

69
00:03:41,550 --> 00:03:43,530
‫we will get a response like this

70
00:03:43,530 --> 00:03:46,680
‫when we do a request to that server.

71
00:03:46,680 --> 00:03:51,240
‫So maybe we can do a request to get back to users

72
00:03:51,240 --> 00:03:53,640
‫maybe we can just do a request to get back

73
00:03:53,640 --> 00:03:56,280
‫to products of an e-commerce website.

74
00:03:56,280 --> 00:03:58,110
‫It doesn't matter.

75
00:03:58,110 --> 00:04:01,590
‫And I believe you are going to understand perfectly

76
00:04:01,590 --> 00:04:05,070
‫why we are doing this section once we get to started.

77
00:04:05,070 --> 00:04:06,720
‫But before we started,

78
00:04:06,720 --> 00:04:11,490
‫I believe I should show you some real API example

79
00:04:11,490 --> 00:04:14,669
‫from a real world example so that you can understand it

80
00:04:14,669 --> 00:04:18,750
‫in a much better way because they are very critical, okay?

81
00:04:18,750 --> 00:04:22,290
‫They're very critical so before we install the vAPI,

82
00:04:22,290 --> 00:04:25,560
‫I'm going to show you something from udemy.com

83
00:04:25,560 --> 00:04:29,220
‫and you can actually see this from any website

84
00:04:29,220 --> 00:04:33,330
‫but I'm just going to show it to you from udemi.com.

85
00:04:33,330 --> 00:04:36,207
‫And in order to do that, I just opened the udemi.com

86
00:04:36,207 --> 00:04:38,730
‫and I can see my own courses over here,

87
00:04:38,730 --> 00:04:41,430
‫recommended to me for some reason.

88
00:04:41,430 --> 00:04:42,990
‫And I'm going to open the Burp Suite,

89
00:04:42,990 --> 00:04:46,020
‫if you don't know what a Burp Suite is,

90
00:04:46,020 --> 00:04:49,260
‫don't worry you're gonna learn it in a couple of lectures.

91
00:04:49,260 --> 00:04:51,270
‫But if you got the web pen testing course,

92
00:04:51,270 --> 00:04:52,740
‫of course you know it.

93
00:04:52,740 --> 00:04:54,750
‫So intercept is on Burp Suite,

94
00:04:54,750 --> 00:04:57,510
‫is a tool that we can capture the packets

95
00:04:57,510 --> 00:04:59,850
‫that we are sending them.

96
00:04:59,850 --> 00:05:01,140
‫So what I'm going to do,

97
00:05:01,140 --> 00:05:04,740
‫I'm going to click on one of the courses on Udemy,

98
00:05:04,740 --> 00:05:06,870
‫and before it sends the message

99
00:05:06,870 --> 00:05:08,760
‫or sends the request to the server

100
00:05:08,760 --> 00:05:12,270
‫I'm gonna capture that inside of the Burp Suite

101
00:05:12,270 --> 00:05:16,110
‫so that we can actually see what are we sending

102
00:05:16,110 --> 00:05:19,110
‫to the server, or what is the endpoint,

103
00:05:19,110 --> 00:05:21,480
‫what are the parameters and stuff.

104
00:05:21,480 --> 00:05:24,180
‫So let me show you what I mean.

105
00:05:24,180 --> 00:05:29,160
‫I'm going to click one of those courses and here you go.

106
00:05:29,160 --> 00:05:32,640
‫It didn't capture the packet because I couldn't change,

107
00:05:32,640 --> 00:05:34,890
‫I forgot to change the proxy.

108
00:05:34,890 --> 00:05:36,480
‫Right now, I changed the proxy.

109
00:05:36,480 --> 00:05:38,550
‫If you don't know how to change the proxy,

110
00:05:38,550 --> 00:05:39,480
‫don't worry about it.

111
00:05:39,480 --> 00:05:42,780
‫I'm gonna show you later on within this section.

112
00:05:42,780 --> 00:05:45,450
‫And once I change the proxy cost,

113
00:05:45,450 --> 00:05:49,410
‫the parameters it cost the packet over here,

114
00:05:49,410 --> 00:05:53,700
‫as you can see it is doing a get request to this website.

115
00:05:53,700 --> 00:05:56,970
‫It's not an API right now it's courses slash

116
00:05:56,970 --> 00:05:59,520
‫the complete mobile ethical hacking course.

117
00:05:59,520 --> 00:06:03,480
‫So this is the address of my course in Udemy.

118
00:06:03,480 --> 00:06:07,350
‫Okay, that is cool, but that is not what I'm looking for.

119
00:06:07,350 --> 00:06:11,760
‫So this is not an API, this is just a regular website.

120
00:06:11,760 --> 00:06:13,320
‫If you just copy and paste it,

121
00:06:13,320 --> 00:06:17,370
‫and just paste it in your browser and go to it,

122
00:06:17,370 --> 00:06:19,590
‫you will see what I mean.

123
00:06:19,590 --> 00:06:20,490
‫What I'm going to do,

124
00:06:20,490 --> 00:06:22,770
‫I'm gonna disable the proxy one more time

125
00:06:22,770 --> 00:06:26,280
‫and go back to udemy.com and refresh it.

126
00:06:26,280 --> 00:06:30,390
‫Right now without going into the course itself.

127
00:06:30,390 --> 00:06:32,130
‫I'm just going to turn it on,

128
00:06:32,130 --> 00:06:35,880
‫and turn the proxy on the Burp Suite on as well.

129
00:06:35,880 --> 00:06:38,403
‫I'm going to click it on one more time.

130
00:06:39,360 --> 00:06:40,590
‫So once I click it,

131
00:06:40,590 --> 00:06:43,500
‫it will capture the packet and here you go.

132
00:06:43,500 --> 00:06:47,490
‫Right now it's doing a post request to this API

133
00:06:47,490 --> 00:06:51,870
‫and if you look at the URL, it's actually API dash two.

134
00:06:51,870 --> 00:06:56,040
‫So this is version two visits and something like that.

135
00:06:56,040 --> 00:06:59,850
‫It's doing a funnel page API call.

136
00:06:59,850 --> 00:07:00,750
‫What does it mean?

137
00:07:00,750 --> 00:07:04,320
‫Because once I clicked on the course,

138
00:07:04,320 --> 00:07:05,910
‫it took me to a site

139
00:07:05,910 --> 00:07:09,240
‫and once I captured the packet over there,

140
00:07:09,240 --> 00:07:11,490
‫it actually showed me a URL.

141
00:07:11,490 --> 00:07:14,880
‫But right now, without going into the URL,

142
00:07:14,880 --> 00:07:19,710
‫once I click on the one of the icons on the main page,

143
00:07:19,710 --> 00:07:22,410
‫it actually does an API call

144
00:07:22,410 --> 00:07:25,920
‫because it's actually sending some parameters

145
00:07:25,920 --> 00:07:29,100
‫to that funnel log state or funnel log

146
00:07:29,100 --> 00:07:31,500
‫API funnel log endpoint.

147
00:07:31,500 --> 00:07:36,390
‫And getting back some information most probably about me,

148
00:07:36,390 --> 00:07:38,160
‫so that it can understand

149
00:07:38,160 --> 00:07:39,930
‫what kind of cookie that I'm using.

150
00:07:39,930 --> 00:07:43,230
‫Did I purchase a course before from Udemy?

151
00:07:43,230 --> 00:07:45,150
‫So should it show some kind

152
00:07:45,150 --> 00:07:48,630
‫of low pricing or high pricing to me?

153
00:07:48,630 --> 00:07:52,530
‫Okay, so this is an API of Udemy.

154
00:07:52,530 --> 00:07:54,810
‫And as you might imagine

155
00:07:54,810 --> 00:07:58,200
‫Udemy uses this inside of its website,

156
00:07:58,200 --> 00:08:02,220
‫web application, and also mobile application as well.

157
00:08:02,220 --> 00:08:04,650
‫Okay, that was a real API,

158
00:08:04,650 --> 00:08:07,200
‫but right now I believe we have to focus

159
00:08:07,200 --> 00:08:11,940
‫on this roottask vAPI, or V API, or vulnerable API.

160
00:08:11,940 --> 00:08:15,600
‫So let's see the root task, it's Tushar Kulkarni,

161
00:08:15,600 --> 00:08:20,220
‫thank you very much Tushar for sharing this with us.

162
00:08:20,220 --> 00:08:25,220
‫I'm going to show you how to install this on a real server,

163
00:08:25,230 --> 00:08:28,350
‫but before that I need to show you something else,

164
00:08:28,350 --> 00:08:31,200
‫I need to show you OWASP Top 10.

165
00:08:31,200 --> 00:08:33,720
‫So if you got the web pen testing course from

166
00:08:33,720 --> 00:08:36,000
‫you already know what an OWAS Top 10 is,

167
00:08:36,000 --> 00:08:38,820
‫it's the most vulnerability, or most common vulnerabilities

168
00:08:38,820 --> 00:08:41,790
‫that come across in the web world

169
00:08:41,790 --> 00:08:44,970
‫but this time I'm going to show you

170
00:08:44,970 --> 00:08:47,670
‫OWASP Top 10 API version.

171
00:08:47,670 --> 00:08:52,670
‫Okay? So as you can see, if you Google for us OWASP Top 10,

172
00:08:53,010 --> 00:08:57,180
‫you will see it and we have actually seen

173
00:08:57,180 --> 00:09:00,840
‫every one of those inside of web pen testing course.

174
00:09:00,840 --> 00:09:04,950
‫But also there is an top 10 for APIs as well.

175
00:09:04,950 --> 00:09:08,250
‫It turns out that it's critical for us

176
00:09:08,250 --> 00:09:10,590
‫and it's critical for OWASP as well.

177
00:09:10,590 --> 00:09:13,860
‫They gather information, they gather data

178
00:09:13,860 --> 00:09:18,270
‫for the most common vulnerabilities in the APIs as well.

179
00:09:18,270 --> 00:09:22,950
‫So what happens is that the V API

180
00:09:22,950 --> 00:09:25,200
‫that we are going to be solving

181
00:09:25,200 --> 00:09:28,770
‫actually got this data from this list.

182
00:09:28,770 --> 00:09:31,470
‫So let me show you what I mean.

183
00:09:31,470 --> 00:09:36,120
‫I'm going to search for OWASP Top 10 API

184
00:09:36,120 --> 00:09:40,440
‫and we will see something like very similar to this.

185
00:09:40,440 --> 00:09:41,970
‫Maybe you have seen this before.

186
00:09:41,970 --> 00:09:45,390
‫This is Top 10 Web Application Security Risk.

187
00:09:45,390 --> 00:09:50,310
‫Okay, like injection, or the broken access and stuff.

188
00:09:50,310 --> 00:09:54,870
‫So you know all of the stuff or maybe you have heard before.

189
00:09:54,870 --> 00:09:58,710
‫But if we go to Google and search for OWASP Top 10,

190
00:09:58,710 --> 00:10:03,630
‫but OWASP API Top 10, like this, okay?

191
00:10:03,630 --> 00:10:07,830
‫Then, we can see the actually API security list as well,

192
00:10:07,830 --> 00:10:09,780
‫the actual security list as well.

193
00:10:09,780 --> 00:10:14,100
‫So I'm going to open this in a new tab and here you go.

194
00:10:14,100 --> 00:10:16,050
‫So, it actually starts

195
00:10:16,050 --> 00:10:19,170
‫with telling us what is an API security.

196
00:10:19,170 --> 00:10:23,850
‫The time that I record this, it's saying that top 10 2019,

197
00:10:23,850 --> 00:10:28,290
‫it's not actually updated every year, okay?

198
00:10:28,290 --> 00:10:33,290
‫I'm recording this like something early 2022 but,

199
00:10:33,390 --> 00:10:35,370
‫it hasn't been updated yet.

200
00:10:35,370 --> 00:10:36,480
‫But as you can see,

201
00:10:36,480 --> 00:10:41,250
‫we have a lot of misconfigurations in proper management,

202
00:10:41,250 --> 00:10:43,628
‫logging, monitoring, and everything.

203
00:10:43,628 --> 00:10:45,750
‫Over here, we have a lot of vulnerabilities.

204
00:10:45,750 --> 00:10:50,070
‫And I can assure you once it gets updated,

205
00:10:50,070 --> 00:10:54,570
‫okay, maybe next year, many of them won't even change.

206
00:10:54,570 --> 00:10:59,430
‫Okay, so maybe a couple of new ones will come to the list

207
00:10:59,430 --> 00:11:01,833
‫but the idea will still be the same.

208
00:11:02,730 --> 00:11:07,730
‫So this vulnerable API actually gets this data, okay?

209
00:11:08,280 --> 00:11:12,000
‫The roottask actually looked at that list

210
00:11:12,000 --> 00:11:16,590
‫and prepared the challenge, prepared the CTF

211
00:11:16,590 --> 00:11:20,550
‫in a way that we can understand everything on that list.

212
00:11:20,550 --> 00:11:24,180
‫So it's a great opportunity for us to solve this

213
00:11:24,180 --> 00:11:27,180
‫in order to understand the API security.

214
00:11:27,180 --> 00:11:31,830
‫But it happens that if we install this on a real server,

215
00:11:31,830 --> 00:11:33,720
‫that will be much more realistic

216
00:11:33,720 --> 00:11:36,810
‫and it would work in a much better way.

217
00:11:36,810 --> 00:11:39,270
‫So what I did, I forked this, okay?

218
00:11:39,270 --> 00:11:42,360
‫I put it on my own GitHub, as you can see,

219
00:11:42,360 --> 00:11:47,360
‫you can reach it via github.com 'til someone slash API.

220
00:11:48,600 --> 00:11:49,920
‫Post the video if you like

221
00:11:49,920 --> 00:11:53,103
‫and just copy and paste the stuff, and go into there.

222
00:11:54,210 --> 00:11:55,680
‫I taught this by the way

223
00:11:55,680 --> 00:11:58,170
‫because I don't want you to get factored

224
00:11:58,170 --> 00:12:00,210
‫by the future updates.

225
00:12:00,210 --> 00:12:03,420
‫So, if you come over here and clone this,

226
00:12:03,420 --> 00:12:06,480
‫or you can just download the .zip in a way that you want

227
00:12:06,480 --> 00:12:10,260
‫just download the .zip on your own machine, okay?

228
00:12:10,260 --> 00:12:12,660
‫We are not even going to use that

229
00:12:12,660 --> 00:12:15,180
‫for installing out the server,

230
00:12:15,180 --> 00:12:19,110
‫but we are going to need some resources on that folder.

231
00:12:19,110 --> 00:12:20,820
‫That's why I'm telling you this.

232
00:12:20,820 --> 00:12:23,471
‫Just go to this website, github.com

233
00:12:23,471 --> 00:12:27,870
‫until someone will use slash API, and download this.

234
00:12:27,870 --> 00:12:30,600
‫Don't worry about the server configurations and stuff,

235
00:12:30,600 --> 00:12:32,842
‫I'm gonna show you in the upcoming lectures.

236
00:12:32,842 --> 00:12:35,950
‫But right now, all you gotta do is just download this folder

237
00:12:35,950 --> 00:12:38,223
‫and be ready for the next one.