Instagram API Reverse Engineering | Bug Bounty Tips | #bugbounty

-
API Analysis

Reverse Engineering an API

Detailed video in my YouTube

If there is no documentation we will have to reverse-engineer the API based on our interactions. Mapping an API with several endpoints and a few methods can quickly become a large attack surface. To manage this process, build the requests under a collection to hack the API thoroughly. Postman can help you keep track of all of these requests.

Postman

Create a Workspace to save your collections. Use the Capture Requests button, found at the bottom right of the Postman window and select Enable proxy. Add your target URL to the “URL must contain” field, and click the Start Capture button.

Use FoxyProxy to route the traffic through Postman. Now browse the website as intended, go through all the functionalities like creating an account, adding a profile photo, changing email, uploading a video and so on.

Now go to the requests section of the postman and select all the API requests like the ones that are /api/, /v1/, etc.., then add to the collection. From the collection select a request and send it to see how the API provider is responding.

mitmweb

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command "…

adithyakrishnav.blogspot.com

Use mitmweb to capture the requests and save the file(“flows”).

mitmproxy2swagger

mitmproxy2swagger is a tool that can be used to generate OpenAPI (formerly known as Swagger) specifications from HTTP traffic.

 mitmproxy2swagger -i flows -o spec.yml -p <URL> -f flow
vim spec.yml
Now remove the "ignore:" from the file where a /api is seen.Then run:
mitmproxy2swagger -i flows -o spec.yml -p http://localhost:8888 -f flow --examples

Now import the spec.yml file to postman:

Swagger editor

Import the spec.yml to the online swagger editor to get this view:

API Reconnaissance

The goal here is to find APIs to attack and this can be accomplished by discovering the API itself or the API documentation.

Reconnaissance

Passive Reconnaissance

It is obtaining information about a target without directly interacting with the target’s systems.

Google Dorking

Firstly, google search for “<app name> API”.

intitle:” api” site:”google.com”

inurl:”/api/v2" site:”google.com”

inurl:”/api/v1" intext:”index of /”

inurl:json site:”google.com”

intitle:”index.of” intext:”api.txt”

intitle:”API Documentation” inurl:”/docs/”

ext:php inurl:”api.php?action=” | Finds all sites with a XenAPI SQL injection vulnerability. (This query was posted in 2016; four years later, there are currently 141,000 results.)

GitDorking

Search terms: Google api, exposed api key, shodan_api_key

extension:json NASA, filename:swagger.json

Search for common headers: “authorization: Bearer”

Always check the issues section and the commit section.

Use the tool Trufflehog, which is more efficient. Detailed video on how to use the Trufflehog GitHub tool and extension:

Boundy for Leacked Credentials

Shodan

hostname:”targetname.com”

“content-type: application/json”

http.title:”swagger” port:80,443

“graphql” port:80,443

“wp-json”

“content-type: application/xml”

Shodan search filters

CVEDB API — Fast Vulnerability Lookups: The CVEDB API offers a quick way to check information about vulnerabilities in a service.

InternetDB APIFast IP Lookups for Open Ports and Vulnerabilities

Shodan Products

Wayback Machine

The Wayback Machine is an archive of various web pages over time. This allows us to see changes to existing API documentation. Finding and comparing historical snapshots of API documentation can simplify testing for Improper Assets Management. If the API has not been managed well over time, there is a chance to find retired endpoints that still exist. These are known as Zombie APIs.

Active Reconnaissance

Get recruted at nso:amass

Command-line tool to find target subdomains by collecting OSINT from over 55 different sources.

amass enum -active -d target-name.com |grep api

amass enum -passive -d target-name.com |grep api

In active mode, Amass actively interacts with the target’s infrastructure, such as by sending DNS queries or performing port scans. This approach might reveal more information but also runs the risk of being detected by the target’s security systems (e.g., intrusion detection systems, firewalls).

In passive mode, Amass does not directly interact with the target’s infrastructure. Instead, it gathers information from third-party sources such as public databases, search engines, and DNS records. This method is stealthier and less likely to be detected by the target.

Devtools

Open devtools and right-click the file section to add URL.

Now browse through the application and check for api calls. To interact with the request right-click the request and copy it as cURL, then use Postman to import >raw text > paste the curl request, then interact with it.

Kiterunner

Assetnote page on kiterunner.

Kiterunner is currently the best tool available for discovering API endpoints and resources.

git clone https://github.com/assetnote/kiterunner.git

# build the binary
make build

# symlink your binary
ln -s $(pwd)/dist/kr /usr/local/bin/kr
kr wordlist list
wordlist



Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

-
Image
Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Read more

Install & set up mitmweb or mitmproxy in Linux

-
Image
Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Read more

Day 20: Search in Rotated Sorted Array: Binary Search - leetcode - Python3

-
Image
  There is an integer array   nums   sorted in ascending order (with   distinct   values). Prior to being passed to your function,  nums  is  possibly rotated  at an unknown pivot index  k  ( 1 <= k < nums.length ) such that the resulting array is  [nums[k], nums[k+1], ..., nums[n-1], nums[0], nums[1], ..., nums[k-1]]  ( 0-indexed ). For example,  [0,1,2,4,5,6,7]  might be rotated at pivot index  3  and become  [4,5,6,7,0,1,2] . Given the array  nums   after  the possible rotation and an integer  target , return  the index of  target  if it is in  nums , or  -1  if it is not in  nums . You must write an algorithm with  O(log n)  runtime complexity. Example 1: Input: nums = [4,5,6,7,0,1,2], target = 0 Output: 4 Example 2: Input: nums = [4,5,6,7,0,1,2], target = 3 Output: -1 Example 3: Input: nums = [1], target = 0 Output: -...
Read more