1
00:00:00,480 --> 00:00:02,370
‫-: Hi. Within this lecture

2
00:00:02,370 --> 00:00:04,803
‫we are gonna take a look at the API9.

3
00:00:05,910 --> 00:00:10,740
‫So, over here it says that Improper assets management.

4
00:00:10,740 --> 00:00:15,060
‫Okay, so over here we got another hint.

5
00:00:15,060 --> 00:00:16,320
‫It says that good news

6
00:00:16,320 --> 00:00:21,320
‫we just launched our v2 second version of our API

7
00:00:21,720 --> 00:00:25,320
‫and for the second version we have a post request

8
00:00:25,320 --> 00:00:27,300
‫in order to log in.

9
00:00:27,300 --> 00:00:28,950
‫Okay, and that's about it.

10
00:00:28,950 --> 00:00:31,110
‫We don't have anything else, I believe.

11
00:00:31,110 --> 00:00:33,210
‫No, we have a GET request

12
00:00:33,210 --> 00:00:36,660
‫about API 10, not a API 9

13
00:00:36,660 --> 00:00:40,650
‫So, for API9 we only have one endpoint

14
00:00:40,650 --> 00:00:43,410
‫which is post requests, which is to log in.

15
00:00:43,410 --> 00:00:45,480
‫So, let's take a look at what

16
00:00:45,480 --> 00:00:48,060
‫is Improper assets management.

17
00:00:48,060 --> 00:00:51,210
‫So, if I just Google it out.

18
00:00:51,210 --> 00:00:53,430
‫I can find the meaning of it

19
00:00:53,430 --> 00:00:55,350
‫and I can find the vulnerabilities

20
00:00:55,350 --> 00:00:58,200
‫and some possible exploits as well.

21
00:00:58,200 --> 00:01:00,300
‫As you can see, it says that attackers

22
00:01:00,300 --> 00:01:03,960
‫find non-production versions of the API.

23
00:01:03,960 --> 00:01:06,810
‫Great. So for example staging, testing, beta

24
00:01:06,810 --> 00:01:08,370
‫or early versions.

25
00:01:08,370 --> 00:01:10,440
‫So ,this is a very common one.

26
00:01:10,440 --> 00:01:12,060
‫So, it says that, yeah,

27
00:01:12,060 --> 00:01:14,370
‫we moved on to the version two

28
00:01:14,370 --> 00:01:17,430
‫but maybe version one is still in progress

29
00:01:17,430 --> 00:01:20,640
‫or is still functioning, right?

30
00:01:20,640 --> 00:01:23,340
‫So, let's come over here to Buddy.

31
00:01:23,340 --> 00:01:26,910
‫As you can see, I can send some requests

32
00:01:26,910 --> 00:01:28,800
‫okay, the Richard Branson

33
00:01:28,800 --> 00:01:31,980
‫and the pin is given to me by default.

34
00:01:31,980 --> 00:01:34,950
‫So, I'm just gonna change them like test

35
00:01:34,950 --> 00:01:36,630
‫and test 1, 2, 3 ,I don't know

36
00:01:36,630 --> 00:01:39,570
‫maybe it's a really pin number with four digits.

37
00:01:39,570 --> 00:01:40,950
‫I don't know about it.

38
00:01:40,950 --> 00:01:44,640
‫But if I do that, if I just send a request to v2

39
00:01:44,640 --> 00:01:46,320
‫as you can see, I cannot log in

40
00:01:46,320 --> 00:01:47,970
‫because I don't know the username

41
00:01:47,970 --> 00:01:51,480
‫and the password or the pin number, right?

42
00:01:51,480 --> 00:01:53,760
‫So, the thing over here is that

43
00:01:53,760 --> 00:01:57,990
‫we are sending this to v2.

44
00:01:57,990 --> 00:01:59,970
‫Maybe, there is a v1 as well.

45
00:01:59,970 --> 00:02:01,740
‫Let's find out about it.

46
00:02:01,740 --> 00:02:04,680
‫So, I'm gonna turn the intercept on as usual

47
00:02:04,680 --> 00:02:08,040
‫and I'm gonna send this request to Burp suite.

48
00:02:08,040 --> 00:02:10,906
‫I'm gonna come over here and

49
00:02:10,906 --> 00:02:12,930
‫I'm gonna send this to Intruder

50
00:02:12,930 --> 00:02:15,960
‫since we don't have any kind of usernames

51
00:02:15,960 --> 00:02:20,280
‫and passwords, I'm just gonna clear everything over here.

52
00:02:20,280 --> 00:02:22,260
‫I'm going to add the username

53
00:02:22,260 --> 00:02:24,060
‫and add the password as well

54
00:02:24,060 --> 00:02:26,160
‫or the pin number as well.

55
00:02:26,160 --> 00:02:28,260
‫I'm assuming that we have something

56
00:02:28,260 --> 00:02:30,150
‫like a SQL injection again.

57
00:02:30,150 --> 00:02:32,790
‫So, I'm going to use the previous list

58
00:02:32,790 --> 00:02:36,750
‫that we have been using or previous payload, okay

59
00:02:36,750 --> 00:02:38,700
‫that worked for this.

60
00:02:38,700 --> 00:02:43,500
‫So, since we don't have any kind of other usernames

61
00:02:43,500 --> 00:02:46,140
‫and passwords, I'm just gonna take the whole list

62
00:02:46,140 --> 00:02:49,410
‫and put it over here and try it from scratch.

63
00:02:49,410 --> 00:02:51,540
‫I didn't think anything else.

64
00:02:51,540 --> 00:02:53,640
‫And by the way, I'm just gonna change this

65
00:02:53,640 --> 00:02:56,340
‫to battering ram as we did in the previous lecture.

66
00:02:56,340 --> 00:02:58,980
‫And I'm gonna deselect this URL

67
00:02:58,980 --> 00:03:02,640
‫in quote these characters and start the attack.

68
00:03:02,640 --> 00:03:05,580
‫I don't know whether this has the SQL injection

69
00:03:05,580 --> 00:03:09,990
‫or not but I do know, as you can see

70
00:03:09,990 --> 00:03:13,740
‫after the fifth trial it gave me a 500.

71
00:03:13,740 --> 00:03:16,770
‫It says that rate limit exceeded.

72
00:03:16,770 --> 00:03:21,690
‫Okay, so there is a rate limit with five trials

73
00:03:21,690 --> 00:03:24,510
‫and this is doing the right thing

74
00:03:24,510 --> 00:03:27,990
‫because after the fifth trial, it gave me an error

75
00:03:27,990 --> 00:03:31,800
‫or the status changed from 200 to 500

76
00:03:31,800 --> 00:03:35,250
‫which means that we are not getting any response now.

77
00:03:35,250 --> 00:03:38,190
‫So, API is working in a correct way

78
00:03:38,190 --> 00:03:39,990
‫it doesn't let me brute force,

79
00:03:39,990 --> 00:03:42,480
‫it doesn't let me try everything.

80
00:03:42,480 --> 00:03:44,093
‫But what happens?

81
00:03:44,093 --> 00:03:49,093
‫What happens if I change this version two to version one?

82
00:03:49,140 --> 00:03:51,003
‫Maybe it's still functioning.

83
00:03:51,900 --> 00:03:53,940
‫And by the way, over here when I look at this

84
00:03:53,940 --> 00:03:56,880
‫maybe the username is actually Richard Branson

85
00:03:56,880 --> 00:03:58,650
‫and maybe it's asking for us

86
00:03:58,650 --> 00:04:02,280
‫to try all the pin numbers ,four digit numbers starting

87
00:04:02,280 --> 00:04:06,270
‫from 1000 ending in 9999.

88
00:04:06,270 --> 00:04:09,420
‫But we did that before and it takes a lot of time.

89
00:04:09,420 --> 00:04:11,220
‫The point over here is that

90
00:04:11,220 --> 00:04:13,470
‫it has a rate limit, right?

91
00:04:13,470 --> 00:04:18,300
‫We cannot even try more than five alternatives.

92
00:04:18,300 --> 00:04:21,000
‫It blocks us in the sixth one.

93
00:04:21,000 --> 00:04:22,710
‫So, it doesn't even matter

94
00:04:22,710 --> 00:04:25,350
‫if it has a SQL injection vulnerability

95
00:04:25,350 --> 00:04:29,160
‫or pin number vulnerability brute force thingies.

96
00:04:29,160 --> 00:04:32,760
‫Because, if we cannot do brute force it doesn't matter

97
00:04:32,760 --> 00:04:35,820
‫what happens when I change it to v1.

98
00:04:35,820 --> 00:04:37,140
‫Let's try that.

99
00:04:37,140 --> 00:04:40,170
‫I changed the version to v1

100
00:04:40,170 --> 00:04:42,990
‫and I don't know whether this v1 exists

101
00:04:42,990 --> 00:04:44,580
‫or not at this point.

102
00:04:44,580 --> 00:04:47,820
‫Okay? I just assume since there is a v2

103
00:04:47,820 --> 00:04:49,860
‫there should be a V1 as well.

104
00:04:49,860 --> 00:04:51,540
‫And here you go.

105
00:04:51,540 --> 00:04:56,220
‫As you can see, I'm getting all 200's right now.

106
00:04:56,220 --> 00:05:00,090
‫If I go to the response, I'm not logged in, Okay?

107
00:05:00,090 --> 00:05:02,940
‫I don't know whether I'm even ever going

108
00:05:02,940 --> 00:05:05,610
‫to be logged in or not because I don't know

109
00:05:05,610 --> 00:05:08,700
‫if this has a SQL injection vulnerability.

110
00:05:08,700 --> 00:05:11,340
‫But what I do know is that

111
00:05:11,340 --> 00:05:16,080
‫I got to bypass this rate limit.

112
00:05:16,080 --> 00:05:18,690
‫Right now I'm not getting 500's.

113
00:05:18,690 --> 00:05:23,120
‫I'm still getting a response and it means that

114
00:05:23,120 --> 00:05:27,600
‫it has the improper asset management vulnerability.

115
00:05:27,600 --> 00:05:30,480
‫They upgraded the API to v2

116
00:05:30,480 --> 00:05:34,650
‫and they had implemented the rate limiting

117
00:05:34,650 --> 00:05:37,740
‫but they forgot to close down the version one

118
00:05:37,740 --> 00:05:40,200
‫or maybe they didn't forget but,

119
00:05:40,200 --> 00:05:43,380
‫they just left it open for some test purposes,

120
00:05:43,380 --> 00:05:46,080
‫for some development purposes, okay.

121
00:05:46,080 --> 00:05:48,210
‫Maybe they thought that, yeah

122
00:05:48,210 --> 00:05:50,970
‫nobody knows about this version one

123
00:05:50,970 --> 00:05:53,610
‫but as you can see a hacker can try it

124
00:05:53,610 --> 00:05:57,090
‫and find out about the versions and then just try

125
00:05:57,090 --> 00:06:00,300
‫to do what they're supposed to do to hack in.

126
00:06:00,300 --> 00:06:03,660
‫And we have seen many hacks in the previous years

127
00:06:03,660 --> 00:06:08,280
‫using that kind of improper asset management vulnerability.

128
00:06:08,280 --> 00:06:11,190
‫Great, so I'm going to wait until this is finished.

129
00:06:11,190 --> 00:06:15,000
‫I don't know even if this is going to work or not

130
00:06:15,000 --> 00:06:18,060
‫but we have bypassed the rate limit.

131
00:06:18,060 --> 00:06:19,563
‫That's what it counts.

132
00:06:23,340 --> 00:06:26,460
‫Here we go, right now this is finished

133
00:06:26,460 --> 00:06:30,360
‫and as long as I can see, we all get 200's

134
00:06:30,360 --> 00:06:33,030
‫But I didn't get a response back

135
00:06:33,030 --> 00:06:35,730
‫like I didn't get a success response back.

136
00:06:35,730 --> 00:06:38,940
‫I don't know whether this has a SQL injection.

137
00:06:38,940 --> 00:06:41,730
‫Maybe as we have talked about before

138
00:06:41,730 --> 00:06:45,030
‫maybe the username is actually the Richard Branson.

139
00:06:45,030 --> 00:06:48,660
‫Okay? And we are supposed to try starting

140
00:06:48,660 --> 00:06:53,580
‫from 1000 all ending in 9999.

141
00:06:53,580 --> 00:06:55,860
‫Maybe that's the case but it's gonna take

142
00:06:55,860 --> 00:06:57,900
‫so much time, right?

143
00:06:57,900 --> 00:07:00,450
‫It's gonna take hours and hours

144
00:07:00,450 --> 00:07:03,363
‫but the community version of the Burp Suite.

145
00:07:04,470 --> 00:07:08,040
‫So, you may actually try it yourself.

146
00:07:08,040 --> 00:07:09,750
‫Okay? You can just come over here

147
00:07:09,750 --> 00:07:12,360
‫and change this simple list of numbers

148
00:07:12,360 --> 00:07:17,057
‫and start from 1000 ending in 9999 step size 1

149
00:07:19,860 --> 00:07:20,790
‫and here we go,

150
00:07:20,790 --> 00:07:24,780
‫you're gonna try like 9,000 thingies.

151
00:07:24,780 --> 00:07:26,520
‫And of course you're gonna have

152
00:07:26,520 --> 00:07:30,420
‫to change the user name to something Richard Bronson.

153
00:07:30,420 --> 00:07:32,760
‫And for the pin you may want to start

154
00:07:32,760 --> 00:07:34,920
‫with something like that.

155
00:07:34,920 --> 00:07:38,550
‫Okay? And obviously you can go

156
00:07:38,550 --> 00:07:41,070
‫for the attacker type sniper.

157
00:07:41,070 --> 00:07:43,590
‫So, let me copy and paste the username

158
00:07:43,590 --> 00:07:45,660
‫so that we won't forget about it

159
00:07:45,660 --> 00:07:46,493
‫and here you go.

160
00:07:46,493 --> 00:07:48,990
‫Maybe you may want to try this yourself

161
00:07:48,990 --> 00:07:51,270
‫but I'm not even going to bother with it

162
00:07:51,270 --> 00:07:54,570
‫because it's gonna take so much time

163
00:07:54,570 --> 00:07:56,910
‫with the 9000 request.

164
00:07:56,910 --> 00:08:00,090
‫The idea over here is that we managed

165
00:08:00,090 --> 00:08:01,680
‫to bypass the rate limiting.

166
00:08:01,680 --> 00:08:04,163
‫As you can see we're still getting 200's.

167
00:08:06,750 --> 00:08:08,760
‫Great, now the idea over here

168
00:08:08,760 --> 00:08:13,080
‫if you find a test version or like a version

169
00:08:13,080 --> 00:08:17,010
‫that has not been maintained for a long time

170
00:08:17,010 --> 00:08:18,570
‫there is still a chance that

171
00:08:18,570 --> 00:08:20,550
‫you may not find vulnerability

172
00:08:20,550 --> 00:08:23,310
‫and actually there is a higher chance that

173
00:08:23,310 --> 00:08:26,430
‫you may find a vulnerability in a version like that.

174
00:08:26,430 --> 00:08:30,300
‫So, it doesn't hurt to try with different versions.

175
00:08:30,300 --> 00:08:32,790
‫Okay, pentest with different versions

176
00:08:32,790 --> 00:08:36,450
‫and actually aim for that versions.

177
00:08:36,450 --> 00:08:39,420
‫I know many cases that senior developers

178
00:08:39,420 --> 00:08:42,510
‫just wanted to keep the APIs open,

179
00:08:42,510 --> 00:08:46,800
‫the previous APIs open just for having a backup.

180
00:08:46,800 --> 00:08:49,860
‫Like if they want to check something else

181
00:08:49,860 --> 00:08:52,290
‫they can come back and look at it.

182
00:08:52,290 --> 00:08:55,560
‫They said that, yeah, just leave the things open.

183
00:08:55,560 --> 00:08:57,600
‫We are gonna figure it out later on.

184
00:08:57,600 --> 00:09:01,350
‫But then it caused some serious vulnerability

185
00:09:01,350 --> 00:09:06,240
‫in the API, serious vulnerability in the platforms.

186
00:09:06,240 --> 00:09:10,380
‫Great, Now we have completed nine challenges.

187
00:09:10,380 --> 00:09:12,213
‫Now it's time for the last one.