Sometimes people also call this a key-value object, hashmap and other names wrapped in {}
But they all mean the same:
1. Key - you can search this key, they are usually unique - so only one hacker with handle maikroservice can exist - TAKE THAT BOTS! 2. Values - can be 1 or many per key
1 Key - (many) Value(s)
Sidetrack off.
Why did I tell you this?
It is easier to hunt for bugs if you understand what you are looking at and APIs & JSON are everywhere.
Literally.
Everyone is using them.
So how do we hack APIs?
1. Typically we would first map out all the APIs
- What is available?
2. We then identify potential areas that take input
- Where can we type something?
3. We fuzz.
wait we what now?
Fuzzing is the process of using different inputs in order to see if we can:
- break the application (cause an error)
- display information that is not supposed to be seen (Can I see your account email / password?)
We will first do that manually and with a very simple payload.
A payload is text that we send to the application, sometimes our name, sometimes evil code. 👿
Our payload that we will test is
<script>javascript:alert("XSS")</script>
Let us figure out what that means and why I chose this payload/class of vulnerabilities.
1. <script> - this is something called a tag, or HTML element - anything between <> is a tag
2. javascript:alert - this is an instruction to start a popup when the code is executed
umm.... I know what a popup is but why would you want to see a popup when you hack?
Well - XSS or cross site scripting is a class of vulnerabilities that is often identified by this method because its very VISUAL - you can see the popup when it works <3
3. alert("XSS") - this will show the text "XSS" in the popup - for illustrative purposes.
4. </script> - a tag should be closed (closing is done by adding a "/" in front of the tag
Nice, so now you know what to do.
Start the application and put the payload we defined in all the input fields.
every one? YES, in every single one.
No one said this would be a walk in the park 🛝
Let me know if you find a spot where this causes a popup 💜
Tomorrow we will meet a new tool - the intercept software @zaproxy and @Burp_Suite
I will tell you my favorite one ;)
Feel free to reply with ideas or questions - you can also DM me.
October is #BugBounty focus
November is #BlueTeam
In December we built a hacking portfolio and hunt jobs for you
I cannot wait and am very grateful that you are following me - enjoy the weekend!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Let me introduce to you the best free tool you will ever use for hacking - @zaproxy
Some people will disagree & that's ok - I still love you 😍 @Alh4zr3d
Remember how yesterday we had to find all the input fields and all the URLs that had any - by using manual labor?!
What is the one thing that separates newbie bug hunters from the professionals - let me tell you
It’s persistence. The tools and ideas that for example @Jhaddix shows is his talks are far beyond the level I thought someone would use for Bug Bounty.
There was one Technique that blew my mind 🤯
It is scraping cloud provider IP ranges (proactively and recurring)
Imagine you are hacking on a program and you want to check which assets they have.
I assume at least 99% of what’s running on the web now is hosted by Cloud Providers (AWS, Azure, GCP, Digital Ocean etc)