I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!! Thank you so much for sharing your time and knowledge with the Community.
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces. Thanks for all your effort. You are doing great.
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
Really informative video, thanks!!!!!! I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
Next up: Q and A - midweek next week RCE bug in focus - 18th Jan CSRF finding your first bug - 25th Jan I often post in the channel community tab or on twitter when I know what my next video will be!
I’m really sorry I actually have midrolls turned off completely but TH-cam will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
Mate I did both h101 graphql labs. I gotta say, I understood f*ck all from that. Did both on my own, never interacted with graphql before that, had blackhat graphql open in a separate tab, just scrolled for something that looked similar to the task. I guess learning hands-on isn't for me
Now in the description - Information Disclosure: User Information Disclosure via the REST API - /?_method=GET - hackerone.com/reports/384782 - Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308 - Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929 - IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329 - XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
You are an outstanding educator, please keep doing it! I just wanted to learn about enumeration for a project but now I'll binge the whole channel.
you've improved the sound quality
I finally figured it out!
Your videos are a gold mine! Thank you so much for making them free accessible and so understandable ❤️
You are so welcome!
I stumbled with your videos while searching for how to start with API hacking, I found you and all I can say your videos are GOLD!!!
Thank you so much for sharing your time and knowledge with the Community.
Really love your series 💖
I found my 1 st paid bb this week after completing your series love you 😘
Nobody:
InsiderPhD: "Howevaaaaaaar...."
Bri ish
@@reo4680 in'it
Ok this was.....BY FAR the BEST video I've seen on YT, for "Introduction to APIs", "API Basics", & "API Recon & Pentesting"! It was extremely useful & clear/concise information that thoroughly explained all subject matter at hand. TY soo much!!!! I'm super happy I found your channel!
Wow, thank you so much
I spent all my day with this video it's really great I tried hunting all day I didn't hunt :) anything but I'm happy because I collect a lot of knowledge thanks for your tips
Did you got some now?
You are an amazing teacher Katie!! One can just watch your videos and start a career in Bug bounty hunting. Keep posting more videos. I love your content. You have helped me a lot. Thanks for everything.
Aww thank you for being a supporter of my work
thanks for your video my gurl
Nice thank you! Been looking for a detailed api bug video.
I am OSCP/OSWE.. and i am starting to learn from you thanks @InsiderPhD keep the greater work up
the way you explain things is just awesome.
Wanted to point out a small mistake. At 5:02 you said name is menu and value is curly braces. Actually value for that menu is an object starting with a curly braces.
Thanks for all your effort. You are doing great.
You're absolutely correct, thank you for pointing out my mistake, I will issue a correction in the description
Hello Katie Its wonderful explanation can't wait to test APIs. Thankyou for sharing valuable information :))
thank you, thank you and thank you! Keep up the great work! Looking forward seeing more of your videos.
Been bouncing around the channels not in order XD but I have to say i love this video and the way you taught it, they keep gettin better and better from what ive seen and super nice to take notes and follow along! Thanks again for the free knowledge !
a great teacher, amazing and detailed explanation, thank you for your efforts ❤️🔥
can you please elaborate what is "endpoint" at 33:52?
This is still a well made presentation after 2 years.
This is what I was going to learn about today too! This is amazing! Thank you so much!
was looking for information and what u are doing for the community and for all is very helpful thank u for ur beautiful content
Thank u, it's really feels like, you have a talent of teaching people
Great video, this series is really helping me out. Looking forward to the next one!
Your voice gives me a motivation, thank you so much❤❤❤❤
Hell yeah! Good luck on your hacking journey I’m glad I could inspire you
My favourite youtuber at the moment :)
:O I’m so honoured!
I am so happy I find your channel 🤩
Thank you Katie for this wonderful lesson...😄😄
I'm little bit confused @ 30:29 that means if we remove the cookies and the api accepts it... Does this bypasses Authorization... I'm confused
By removing cookies we are basically “logged out” which is why it works, there are many different type of IDORs but it’s a quick litmus test to check!
Got it..
I really apricated your hard work behind your videos .. I love all the videos and learn lots of things thanks a lot
Was really waiting for something like this, Thank you so much
Great content. Keep it coming!
How do you find xss in API? API responses are json content type is xss possible?
The primary attack is using it to bypass any client-side WAF filters, but you should have a look at XSS write ups with APIs, I added one in the description but there are many others
Really informative video, thanks!!!!!!
I have a doubt when I saw zomato api , it showed a list of many GET method , like GET restaurant name, GET location name etc , so should I type the resto name and city name and try to capture the request using burp and run the response. Is this the method like what you are trying to explain?????
Wow! Good work, very clear.
This is brilliant, thank you! Any suggestions on where I can find CTFs to practice these techniques?
PortSwigger’s Web Security Academy, PentesterLab
Fantastic video, where shoould we look if we cant acces any ways to the apis becauser we dont have the crfs token or auth?
Hey You made a great job , Thanks a lot
Thanks for your great contents.
Is there something i should know about before starting to learn this?? As i find this quite difficult in some parts
Try to watch my finding your first bug series in order, but you do need to know a little about how the internet works first! Let me know what you’re struggling with specifically and I’ll try to make more videos on it
@@InsiderPhD thanks!
Amazing video.. thx for contribution...
Awesome talk, thank you very much!!
Glad you liked it! More API videos coming really soon!
love the comments on your notes "seems sus come back"
Really helpful video keep it up!
Thanks for this...really useful for me
If you could provide those slides, that would be very helpful.
thanks, great video!!
I don't provide my slides simply because I am not comfortable with other people presenting my work, I will see what I can in maybe sorting out some written notes in the future.
@@InsiderPhD Valid point.
@rl1k Doe It's less because I don't want people to take credit for my work, but because I want to make sure that if my name is attached to something that it's presented correctly with all the facts!
can websites restrict you to use burpsuit to intercept the requests. I am dealing with a website which is restricting me to use it there and its making it really hard to enumerate the good stuff. any help?
Hi Katie, thanks for this superb video. Do you have somewhere the presentation for download?
No, sorry, unless it's mentioned specifically in the video descriptions I don't make slides freely available, usually I do for conference talks!
@@InsiderPhD Ok, so I will take notes from your videos. :)
Xcellent Video for Developers trying to start Hacking
Enumeration is a part of a larger recon process. Right?
Yup but sometimes not! API recon is often discovering endpoints while larger recon is usually exploring a scope in depth
@@InsiderPhD Exploring a scope could be finding the hidden endpoints. Isn't this also enumeration?
great training video, thanks for content \o/
thanks a lot for awesome information.
Hello is it possible that you can make some video about APIs and perform security tests on PostMan and script? Excellent work I've learned a lot from you.
This is coming soon :) I’m going to do a video on more API testing tools!
The reports you use in your examples, in the future could you give us the url for them so we can look them up? Thanks!
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
Awesome 👍
Really help full thank you
Starting TOday Lets rock and roll :))
Awesome resource!
thanks for the video 👍
For Web Developers start at 14:30
It’s really Great, thank you for changing your mic 😁😁😁
Microwave Oven, doo Doo Doo Doo Doo doo
Thank you so much!! Very useful
Great video, please make a video on CSRF
Coming next week :)
I would love to see a sample of your spreadsheet. Would you be willing to share or post link below your video? Great video!! Great content! Thanks for taking the time! A final slide would be great at the end of the video while you are doing final comments as the screen going black, which is a little freaky.
Link to the spreadsheet :) docs.google.com/spreadsheets/d/1IJvTH6QpTlxWdy4Ss6I0G_f4csCYwBdgE88ya7XijnI/edit?usp=sharing will take your feedback into account for next time!
@@InsiderPhD keep up the great work on these great videos!!! Very informative!! Its greatly appreciated!
Thank you so much !!
you should add link of your video in I button or in this description when you are talking about you some other videos
Excellent idea, thank you I will do this!
Plz tell which lecture are coming at what time means future schedule plz
Next up:
Q and A - midweek next week
RCE bug in focus - 18th Jan
CSRF finding your first bug - 25th Jan
I often post in the channel community tab or on twitter when I know what my next video will be!
really Great, thank you
Thank you
This was helpful
you used mouse to write, that's awesome xD
where can i practice api hacking?
Burp Suite Academy ,TryHackMe, apisec university
Thanks so much!
Great, however, how can I concentrate with an ad every minute. Thank you for your hard work .
I’m really sorry I actually have midrolls turned off completely but TH-cam will actually add them back into the videos anyway! Feel free to use an adblocker it’s very annoying
lovely voice🤩
can you share the slide of this video?
please bring some practical beside theory
How to find that api plz tell that
Keep an eye out for web apps which have mobile app counterparts, often they both use the same API, another option is to take a look at mobile apps (video coming soon!), but in the meantime, you can check out Spaceraccoon's recent iOS blog spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps or using Genymotion to set up an Android emulator
Thank you so much
1337 video! Is it just a chance or I am the 3337th person to view the video? :D
Can you please share slides? BTW thank you so much. ❤🌹
This was great. But, if you don't mind, can you please slow down a lil bit while talking?
Of course! Thank you for your feedback! I will definitely try to talk slower and pace myself better!
Mate I did both h101 graphql labs. I gotta say, I understood f*ck all from that. Did both on my own, never interacted with graphql before that, had blackhat graphql open in a separate tab, just scrolled for something that looked similar to the task. I guess learning hands-on isn't for me
Reusing code by creating a web API is not being lazy, its being smart.
Of course! It’s just a joke :)! Using an API can also reduce development time when you’re managing a desktop, web and mobile app for example
Can you make a good video on XSS explaining all of them briefly and ways to find it out easily
Great idea I will make this video!
it will be gud if u give reports link is description
Now in the description
- Information Disclosure: User Information Disclosure via the REST API - /?_method=GET
- hackerone.com/reports/384782
- Authorisation Issues: Wordpress.com REST API oauth bypass via Cross Site Flashing - hackerone.com/reports/176308
- Business Logic Errors: Items bought for free due to lacks of quantity controls - hackerone.com/reports/357929
- IDORs: IDOR and statistics leakage in Orders - hackerone.com/reports/544329
- XSS: Stored XSS in blog comments through Shopify API - hackerone.com/reports/192210
i have watched 'All' of your videos but never fined a bug
Keep an eye out I’m posting a video just for you soon!
@@InsiderPhD I would be so happy
can i get your PPT?
thank You
Thank
mam your voice is very beautiful
thx
huh
sorry for bad comment
You british?
Yup! From Surrey live in Manchester