Finding Your First Bug: Reading JSON and XML for Information Disclosure
ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- In this video we cover how to read JSON and XML specifically to find information disclosure vulnerabilities. We cover how to approach a target when a URL returns JSON or XML, how to know if you've found an info disclosure - and how to exploit it! I want to really demystify JSON/XML and make you feel more at ease with how JSON/XML works and how you can read it. We also cover other vulnerabilities that might exist when a URL returns JSON or XML.
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.co... I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Further reading:
- JSON Formatter: jsonformatter.org
- JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions: hackerone.com/...
- An invite-only's program submission state is accessible to users no longer part of the program: hackerone.com/...
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users: hackerone.com/...
- Team member with Program permission only can escalate to Admin permission: hackerone.com/...
By Learning From You , You Will See One Day i Will Tag You in a Tweet , thank you very much i am learning alot about API hacking From your videos and Corey J Ball's Book , Lot Of Love and Respect , God Bless You
We need a video on XXE! Excellent explanation ma'am!
Voting for XXE video.
Your vote has been noted!
@@InsiderPhD Hey, I have a question. So what if I can change the content type to application/xml, and it accepts it, but when I try a blind xxe to get a url, the request originates from my ip address. I got it to send a request, but instead of server side, it's from my ip address. Does that mean it's not vulnerable? I've tried other payloads but they don't work.
JSON... just what I needed
Hey Katie! Thanks for this video! This is not a very popular topic so I really appreciate it!!!!
You're welcome! I think a lot of people get intimidated by seeing JSON/XML and don't really know what to do, so I wanted to make this so people can really get into API hacking with me! Especially with future videos covering APIs!
InsiderPhD totally!! I know with me, API’s are really intimidating and it’s definitely a weak point in my websec knowledge! So these videos are a great help
Note: GDPR applies to all programs that have European Users..
Thanks a lot, this was really helpful!
Very informative video Katie, you answered a lot of the questions rattling around in my head. I hope you don't mind me saying, you are getting a real pro at these videos now. Congrats!
😊😊😊😊😊😊 thank you I’m really trying to improve everything I can
Thanks for sharing. That's really some cool information in the video.:)
Love your videos .... please do NOT stop..... ❤🎉🎉🎉🎉🎉🎉🎉🎉
Another great video! Yes - please create an XXE video :)
11:22 It is a graphql response with Json data ....
Crocodile Brackets !! haha subscribed
you are definitely right, if there is lods of json , i mostly thing its system things and just ignore it
those are really helpful for the newcomers...thanks for this
Nice Video , Thanks
Hi! I'd like your opinion on the platform INE Training, I don't know if it's worth it. Have you used it? Have you known anybody who has? They're quite expensive. Cheers mate!
I’m not familiar with it! The only platform I do have experience with is Pentesterlab and I do recommend that one with a *. I’ll ask around and see!
@@InsiderPhD on the 20th of this month, they'll be having s seminar about their new Cyber Security course, I'll stay tuned. Thanks for your help.
Yes make video on XXE
There is always one question on my mind iwhat is the difference between API endpoint and directory same ? : dumb qustn i guess, I cannot think of differences :(
No stupid questions here!
An endpoint is like a URL that does something so TH-cam.com/watch?v=whatever resolves into a video but TH-cam.com/watch doesn’t do anything so that’s not an endpoint
A directory actually stores stuff, so think the files for the videos TH-cam, but you usually need a direct link unless you can see into the folder.
Hope that helps!
@@InsiderPhD Haha thank you !! this cleared me !! your video motivates me to learn more and more :!!
Thanks😄
Nice voice
is JSON really intimidating ? I love to see JSON responses
I did a poll and some of the discussions resolved around feeling intimidated by APIs and JSON, I wanted to get a video out there just in case esp as I’m doing a ton of videos on API hacking!
Is that JSON from your university API from pervious videos?
Yup! I worked hard on that damn thing so I’m going to expand it! It has a few new vulns for a blind XSS now :D!
Send me a @ on twitter for your prize :)
@@InsiderPhD it's @yaboi_kryp2o
How to see json data in real world application
You see it a lot in mobile apps, but keep an eye out for app that automatically refresh like yahoo mail or apps with a lot of client activity, APIs are great places to find JSON
Hello Mam,
I have seen your videos but I don't have laptop how can I find through mobile phone.
Can you please help me.
Do you need to go to college to do bug bounty
No, but I think university is useful for other reasons, to meet people, be exposed to lots of different careers and to broaden your horizons!
InsiderPhD thank you I’m doing a course & I was worried if I need to go to school too & I wasted my time
😍😍😍
❤️
3 rd!!
You'll get first soon ;)
Thanks 😊
No problem 😊