API Recon with Kiterunner - Hacker Toolbox
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- Kiterunner is a brand new tool for API Recon which launched last week, and it's INCREDIBLE. I was so impressed when testing it out that I had to share it because this will be a game-changer for API recon, seriously. As in, this tool was able to find domain-specific API endpoints, where every tool has failed.
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
- Links -
- Kiterunner Introduction: blog.assetnote.io/2021/04/05/...
- Assetnote Wordlists: wordlists.assetnote.io
- Kiterunner GitHub: github.com/assetnote/kiterunner
- Slides from BSides Canberra: drive.google.com/file/d/1PDc2...
- Install Go: golang.org/doc/install
- Install Brew: brew.sh
- Commands -
- Windows Instructions: go build -o dist/kr.exe ./cmd/kiterunner
- Standard scan: kr scan 127.0.0.1:8000/ -w ~/Downloads/routes-large.kite
- Standard fuzzer: kr brute 192.168.1.2:8000/ -A=apiroutes-210228
- Multiple Targets: kr scan source.txt -w ~/Downloads/routes-large.kite
- Repeat a request: kr kb replay -w ~/Downloads/routes-large.kite "GET 404 [ 7620, 1867, 167] 127.0.0.1:8000/api/api/secure/acclandingpage/shoppers/60974302/orders/18350 0cf6832438c001b0aeeed5bc5a70f536908b08e7"
- Add a filter: kr scan 127.0.0.1:8000 -w ~/Downloads/routes-large.kite -A=apiroutes-210328:20000 --fail-status-codes 400,401,404,403,501,502,426,411
- Plain text format: kr scan 127.0.0.1:8000/api -w ~/Downloads/routes-large.kite -o text
- Social Media -
Discord: insiderphd.dev/discord
Patreon: / insiderphd
Twitter: / insiderphd
- Patreon Shoutouts -
David Kupratis
Bruna Simonian
Sean Doody
Forrest Held
Patreon
Wardell Castles
Gynvael
Ram
James Clee
00:00 - Introduction & Intigriti Sponsorship
02:00 - What makes Kiterunner special
10:55 - Installing Kiterunner
16:05 - Getting started, basic commands
22:33 - Adding extras
31:11 - Outro and Patreon shoutouts - บันเทิง
That was so excellent! Thank you so much.
I've marked this video to watch again in the future, and I actually am using Kiterunner as I'm watching this video.
I do wish you a speedy recovery, and congrats on the Bug Crowd position!
Thank you for explaining each aspect of the tool clearly. It was really helpful! :)
Thanks for the video! I am already using it!
Thank you, using it first time tonight
Thanks for the great content !
Love from india .great content thanks
Thank You so much :)
Very good Dr
Our Queen 👸👸😍
So nice!
Amazing video indeed..
thank you !
you deserve 10000000000000000 likes Katie
i’m one of them 🤪
Lot of love for u
Hi Katie, thanks for the informative video, do you have a step by step installation of the tool on linux, I am kind of a beginner and really struggling to get it up and running.
Hi dhidhi ! Is it necessary to shift from burpsuite community to professional version? Cant we find bugs with community version .
thank you
Thank you @kati would you do some web application testing, how do you approach a real target.
wow so great
thank u
Hey katie,
I am unable to print any output out on the terminal. It keeps running and outputs no results found.
A great idea with marking when doing presentation, but I really recommend you buying a cheap graphics tablet. I'm sure It'll be easier to underline and draw arrows : P
I knowwwww I use my iPad but it doesn’t play nice with the two screens I use. I might have to check out alternatives
FTL failed to read from stdin error="failed to open file: open routes.json: no such file or directory" Downloaded and extracted this files same problem
Hi dhidhi ! There is a thing people mostly discussing now a days . Do really AI replace cyber security ? For security Enthusiast like me we always look for future do this field goes green ?
No! Don’t worry about AI! I did a talk at bugcrowd level up it’s in my playlist of talks on AI and why you don’t need to worry!
@@InsiderPhD this why I love dude
It seems that the kiterunner project has been abandoned. Do you know if it has been forked or if there are any similar (but more recently updated) tools? If not, I really need to learn golang and patch the tool up myself. And figure out how to keep the api definitions up to date...
Yeah :( this is an older video, you can download the larger wordlists, but I’ve not seen anything similar, the most I’ve seen is some work looking at swagger files and extracting a wordlist from thousands of them
It does not work on windows, I type in the command in cmd but returns errors.
This is why they say it's good to get familiar with Linux, not a must per say but very much a great thing to have....Linux familiarity
what command do you usally use?
Katie, you MUST learn VIM. I promise it's worth it.
Good job InsiderPhD, Since you're from England, do you know The Beatles?
Of course :D
is this vlog still valid? It seems like Kiterunner support was discontinued
Can anybody explain the difference between scan and brute mode?, please
Scan uses some guessing to get likely endpoints it produces less noise
Can it do parameters fuzzing like fluff ?. Where we can place POST body data like password=FUZZ&username=FUZZ ?
Yup! You can use FUZZ anywhere in a request
@@InsiderPhD i cannot find that option in their docs :-(, i must’ve missed something ...
I love your accent. Where is it from ?
I’m from a place near London :)
All of the content on 1 side nd another side your channel name insider phd??? What does it actually mean??🤨🤨Can i get the answer???
I have a PhD and my PhD was in Insider Threats so InsiderPhD.
love ur accent 😍 please make an English learning channel also.😂
First
👏👏👏