1
00:00:00,510 --> 00:00:01,343
‫Lecturer: Hi.

2
00:00:01,343 --> 00:00:03,750
‫Within this lecture, we're gonna go ahead

3
00:00:03,750 --> 00:00:07,350
‫and take a look at the API7 challenge.

4
00:00:07,350 --> 00:00:09,690
‫So I'm gonna go back to the documentation

5
00:00:09,690 --> 00:00:12,330
‫and just go for the API7.

6
00:00:12,330 --> 00:00:17,190
‫Over here we see the title as Security Misconfiguration.

7
00:00:17,190 --> 00:00:18,023
‫Okay.

8
00:00:18,023 --> 00:00:20,310
‫And it says that it's an API,

9
00:00:20,310 --> 00:00:25,260
‫so we are expecting cross origin requests.

10
00:00:25,260 --> 00:00:28,890
‫Great, so it's about cross origin requests.

11
00:00:28,890 --> 00:00:31,530
‫We're gonna see what a cross origin request is,

12
00:00:31,530 --> 00:00:33,480
‫but for right now, I'm just gonna go ahead

13
00:00:33,480 --> 00:00:36,690
‫and take a look at the post and get requests.

14
00:00:36,690 --> 00:00:39,330
‫So first of all, we create a user,

15
00:00:39,330 --> 00:00:41,520
‫and then we actually log in

16
00:00:41,520 --> 00:00:44,430
‫with the user as far as I can see.

17
00:00:44,430 --> 00:00:46,980
‫After we log in, we can get a key,

18
00:00:46,980 --> 00:00:51,780
‫like an authorization key I believe, with this request.

19
00:00:51,780 --> 00:00:55,200
‫And finally, we can log out from that user

20
00:00:55,200 --> 00:00:58,800
‫if we just call this end point, great.

21
00:00:58,800 --> 00:01:01,230
‫Now, this is very generic.

22
00:01:01,230 --> 00:01:05,040
‫So we sign up, we log in, we get a key, we log out.

23
00:01:05,040 --> 00:01:07,170
‫But what is cross origin request

24
00:01:07,170 --> 00:01:10,320
‫and what does it have to do with any of this?

25
00:01:10,320 --> 00:01:13,770
‫Right, so cross origin means we are

26
00:01:13,770 --> 00:01:17,010
‫getting the request from another origin.

27
00:01:17,010 --> 00:01:20,160
‫For example, not from this website,

28
00:01:20,160 --> 00:01:24,240
‫not from the API's website, from my website

29
00:01:24,240 --> 00:01:26,730
‫or from attacker's website.

30
00:01:26,730 --> 00:01:31,110
‫So APIs actually have to take this into consideration.

31
00:01:31,110 --> 00:01:31,943
‫Because why?

32
00:01:31,943 --> 00:01:35,130
‫Because let's assume that I'm a hacker

33
00:01:35,130 --> 00:01:39,090
‫and I create a website and I create a button

34
00:01:39,090 --> 00:01:44,090
‫in that website to send a request to Facebook for example.

35
00:01:44,970 --> 00:01:47,220
‫Let's assume that you're logged into

36
00:01:47,220 --> 00:01:51,450
‫the Facebook in your browser, and I placed a button

37
00:01:51,450 --> 00:01:53,610
‫in my website to send a request

38
00:01:53,610 --> 00:01:56,490
‫to the Facebook and you clicked on it.

39
00:01:56,490 --> 00:01:59,340
‫Now, Facebook receives this request

40
00:01:59,340 --> 00:02:03,750
‫through my website, via my website, via my server,

41
00:02:03,750 --> 00:02:07,380
‫so that I can see the request and I can see the responses

42
00:02:07,380 --> 00:02:10,410
‫and I can get something out of it, right?

43
00:02:10,410 --> 00:02:15,150
‫I can see the response, or I can get your authorization key.

44
00:02:15,150 --> 00:02:16,920
‫So it's not good.

45
00:02:16,920 --> 00:02:19,260
‫It has to take this into consideration

46
00:02:19,260 --> 00:02:22,410
‫and it has to block whatever it has to block,

47
00:02:22,410 --> 00:02:26,040
‫or it may just display a message saying that,

48
00:02:26,040 --> 00:02:28,950
‫yeah, it's not the origin that I'm expecting,

49
00:02:28,950 --> 00:02:32,460
‫but it has to follow up on that.

50
00:02:32,460 --> 00:02:35,640
‫So I'm gonna go to Postman and just try

51
00:02:35,640 --> 00:02:38,940
‫the username and password, like atil, atil123.

52
00:02:38,940 --> 00:02:40,830
‫You can try whatever you want.

53
00:02:40,830 --> 00:02:43,950
‫And as you can see, once I send this request,

54
00:02:43,950 --> 00:02:47,910
‫as you can see, it's created and I have my ID over here.

55
00:02:47,910 --> 00:02:51,120
‫Now, if I go to log in, now in the headers,

56
00:02:51,120 --> 00:02:53,400
‫I have to have my authorization token

57
00:02:53,400 --> 00:02:56,970
‫because it's already created for me

58
00:02:56,970 --> 00:03:00,120
‫in the tests of this Create User API.

59
00:03:00,120 --> 00:03:02,670
‫Now I'm gonna go and just send this, okay?

60
00:03:02,670 --> 00:03:03,930
‫Without anybody.

61
00:03:03,930 --> 00:03:06,240
‫And here you go, now I'm logged in

62
00:03:06,240 --> 00:03:10,830
‫because I have sent that authorization token.

63
00:03:10,830 --> 00:03:12,840
‫Now, so far so good.

64
00:03:12,840 --> 00:03:15,450
‫I have created the user, I have logged in.

65
00:03:15,450 --> 00:03:20,130
‫If I come over here, okay, if I send this request,

66
00:03:20,130 --> 00:03:24,630
‫then I will get another authorization key like that.

67
00:03:24,630 --> 00:03:26,070
‫Here you go.

68
00:03:26,070 --> 00:03:28,167
‫Now username is this, password this,

69
00:03:28,167 --> 00:03:30,930
‫and I have an authorization key.

70
00:03:30,930 --> 00:03:34,710
‫Now I can use this authorization key to further do something

71
00:03:34,710 --> 00:03:38,493
‫inside of that website or inside of that API.

72
00:03:39,630 --> 00:03:41,100
‫Great, so far, so good.

73
00:03:41,100 --> 00:03:43,560
‫Nothing seems to be broken

74
00:03:43,560 --> 00:03:47,430
‫and I believe we can even log out from this one

75
00:03:47,430 --> 00:03:52,260
‫and just log in back whenever we need to.

76
00:03:52,260 --> 00:03:56,040
‫So let's try the user logout functionality.

77
00:03:56,040 --> 00:03:59,340
‫Okay, for the last thing, I'm just gonna log out.

78
00:03:59,340 --> 00:04:01,320
‫Here we go, I'm logged out.

79
00:04:01,320 --> 00:04:02,220
‫Let's try that.

80
00:04:02,220 --> 00:04:05,970
‫If I logged out, I shouldn't get the key, right?

81
00:04:05,970 --> 00:04:06,870
‫Here we go.

82
00:04:06,870 --> 00:04:09,600
‫If I send a request without logging in,

83
00:04:09,600 --> 00:04:11,310
‫I'm not getting the key.

84
00:04:11,310 --> 00:04:16,020
‫I have to log in, then I can just get the key.

85
00:04:16,020 --> 00:04:18,990
‫So this API actually works well

86
00:04:18,990 --> 00:04:23,160
‫but I'm gonna turn the intercept on before getting the key.

87
00:04:23,160 --> 00:04:25,980
‫Okay, I'm logged in right now.

88
00:04:25,980 --> 00:04:27,510
‫I'm logged in.

89
00:04:27,510 --> 00:04:30,270
‫I will try to send this request,

90
00:04:30,270 --> 00:04:34,440
‫get key request, and catch it in the Burp Suite.

91
00:04:34,440 --> 00:04:35,880
‫Why I'm doing that?

92
00:04:35,880 --> 00:04:40,710
‫Because I will see if I send this to repeater.

93
00:04:40,710 --> 00:04:43,590
‫If I send this, then it will give me the key, right?

94
00:04:43,590 --> 00:04:47,940
‫Because I'm logged in, API knows I'm logged in,

95
00:04:47,940 --> 00:04:51,030
‫I'm sending this cookie, PHPSESSID,

96
00:04:51,030 --> 00:04:54,750
‫so that it knows me, it knows that I'm logged in.

97
00:04:54,750 --> 00:04:56,943
‫It will give me back my key.

98
00:04:57,870 --> 00:05:00,330
‫So I'm gonna send it, here you go.

99
00:05:00,330 --> 00:05:05,220
‫I get the key, but what happens if I change the origin?

100
00:05:05,220 --> 00:05:08,010
‫I'm not gonna create a website in order to do that.

101
00:05:08,010 --> 00:05:11,730
‫I'm just going to simulate it, okay?

102
00:05:11,730 --> 00:05:14,430
‫In order to simulate it, I believe we can change

103
00:05:14,430 --> 00:05:17,070
‫some headers inside of the request.

104
00:05:17,070 --> 00:05:20,040
‫So I'm gonna search for origin header.

105
00:05:20,040 --> 00:05:21,090
‫Okay.

106
00:05:21,090 --> 00:05:21,923
‫Yeah, here you go.

107
00:05:21,923 --> 00:05:24,540
‫Cross-origin resource sharing, CORS.

108
00:05:24,540 --> 00:05:28,020
‫So if we take a look at that, yeah, here you go.

109
00:05:28,020 --> 00:05:32,880
‫There is a portswigger.net tutorial over here and that's it.

110
00:05:32,880 --> 00:05:34,500
‫As you can see, we can add

111
00:05:34,500 --> 00:05:37,470
‫the origin header whenever we need to.

112
00:05:37,470 --> 00:05:41,550
‫Great, so this will become like this.

113
00:05:41,550 --> 00:05:44,220
‫So I'm gonna add the origin header from here,

114
00:05:44,220 --> 00:05:46,530
‫and I'm just gonna change it to something random

115
00:05:46,530 --> 00:05:49,530
‫like my own website, okay?

116
00:05:49,530 --> 00:05:54,530
‫So right now, this request is coming from my website,

117
00:05:54,750 --> 00:05:58,500
‫but the user has already been logged in

118
00:05:58,500 --> 00:06:02,070
‫because I'm just sending the cookie of that particular user.

119
00:06:02,070 --> 00:06:03,000
‫And here you go.

120
00:06:03,000 --> 00:06:04,740
‫Now we got the flag.

121
00:06:04,740 --> 00:06:06,540
‫So what happened?

122
00:06:06,540 --> 00:06:10,170
‫As you can see, the request came from another website,

123
00:06:10,170 --> 00:06:14,250
‫like a hacker's website, and we still got the key.

124
00:06:14,250 --> 00:06:18,240
‫Okay, so a hacker can easily steal our information,

125
00:06:18,240 --> 00:06:22,650
‫steal our key, using that particular vulnerability.

126
00:06:22,650 --> 00:06:26,460
‫Of course, we didn't create a website from scratch.

127
00:06:26,460 --> 00:06:29,580
‫We just simulated it by adding the origin header

128
00:06:29,580 --> 00:06:32,493
‫over here in the request, but that's about it.

129
00:06:33,420 --> 00:06:35,160
‫Great, so far, so good.

130
00:06:35,160 --> 00:06:37,530
‫Now I'm gonna stop here and continue

131
00:06:37,530 --> 00:06:40,533
‫within the next lecture for the next challenge.