1
00:00:01,080 --> 00:00:01,920
‫Instructor: Hi.

2
00:00:01,920 --> 00:00:04,530
‫Within this lecture we're gonna start

3
00:00:04,530 --> 00:00:07,500
‫pen testing our API, finally.

4
00:00:07,500 --> 00:00:10,664
‫So far we have made our API,

5
00:00:10,664 --> 00:00:13,650
‫vulnerable API run on our server.

6
00:00:13,650 --> 00:00:17,490
‫We have installed Burp Suite and also Postman as well.

7
00:00:17,490 --> 00:00:21,630
‫Right now, we're just gonna deep dive into what's going on

8
00:00:21,630 --> 00:00:24,720
‫and why we are doing these things that we do

9
00:00:24,720 --> 00:00:29,190
‫in order to understand it in a much better context.

10
00:00:29,190 --> 00:00:31,950
‫So right now I have this website.

11
00:00:31,950 --> 00:00:35,190
‫In here we have a documentation.

12
00:00:35,190 --> 00:00:39,610
‫It explains the API endpoints like API1, API2, API3,

13
00:00:40,980 --> 00:00:45,870
‫and it gives us clues, it gives us some kind of information

14
00:00:45,870 --> 00:00:48,120
‫to solve the challenges.

15
00:00:48,120 --> 00:00:49,680
‫As you can see, it says that

16
00:00:49,680 --> 00:00:53,370
‫broken object level authorization or authentication

17
00:00:53,370 --> 00:00:58,370
‫and this is the vulnerability that it has

18
00:00:58,530 --> 00:01:00,330
‫inside of the API1.

19
00:01:00,330 --> 00:01:03,720
‫And also we have the create user, get user,

20
00:01:03,720 --> 00:01:06,300
‫and update user endpoints over here

21
00:01:06,300 --> 00:01:09,360
‫with the relevant explanations.

22
00:01:09,360 --> 00:01:11,940
‫So of course, this gives us a clue

23
00:01:11,940 --> 00:01:15,933
‫and it actually gives us too much.

24
00:01:17,160 --> 00:01:19,860
‫In the real world, if you think about it,

25
00:01:19,860 --> 00:01:24,860
‫if you're going to do an API pen testing,

26
00:01:25,200 --> 00:01:28,800
‫do you really get this kind of documentation?

27
00:01:28,800 --> 00:01:30,960
‫It depends on the situation,

28
00:01:30,960 --> 00:01:33,120
‫you may get or you may not get.

29
00:01:33,120 --> 00:01:35,610
‫Of course, you won't get the vulnerabilities

30
00:01:35,610 --> 00:01:37,680
‫written down for you like this,

31
00:01:37,680 --> 00:01:40,920
‫but you may get a very detailed information.

32
00:01:40,920 --> 00:01:43,020
‫Let me show you what I mean.

33
00:01:43,020 --> 00:01:46,470
‫I'm going to just search for like Instagram API

34
00:01:46,470 --> 00:01:48,960
‫or Facebook API.

35
00:01:48,960 --> 00:01:50,370
‫So I'm just gonna go ahead

36
00:01:50,370 --> 00:01:55,370
‫and go into the Instagram developer documentation.

37
00:01:55,890 --> 00:01:57,420
‫Yeah, I believe this is the old one.

38
00:01:57,420 --> 00:02:00,180
‫I'm just gonna go to developers.facebook.com.

39
00:02:00,180 --> 00:02:02,940
‫You don't have to do that, by the way,

40
00:02:02,940 --> 00:02:04,800
‫I'm just showing you this.

41
00:02:04,800 --> 00:02:07,230
‫This is an API that developers can use

42
00:02:07,230 --> 00:02:09,750
‫in their web applications or mobile applications.

43
00:02:09,750 --> 00:02:13,020
‫I have used it before in my mobile applications.

44
00:02:13,020 --> 00:02:17,430
‫If I go to guides, I can see the different kind

45
00:02:17,430 --> 00:02:21,030
‫of documentations, different kind of endpoints over here.

46
00:02:21,030 --> 00:02:24,660
‫If I click on any of them, like Business Discovery

47
00:02:24,660 --> 00:02:27,390
‫I can see the requests and responses.

48
00:02:27,390 --> 00:02:29,940
‫So this is a request, this is a GET request.

49
00:02:29,940 --> 00:02:31,860
‫This is the end point.

50
00:02:31,860 --> 00:02:36,270
‫So this is the version three, and we see the parameters,

51
00:02:36,270 --> 00:02:40,320
‫we see the fields that we need to input, and here you go.

52
00:02:40,320 --> 00:02:45,320
‫Now we see what it does and what is an ID,

53
00:02:45,360 --> 00:02:48,840
‫what is the parameters, what are the headers,

54
00:02:48,840 --> 00:02:52,620
‫and what kind of response do we get when we send this?

55
00:02:52,620 --> 00:02:55,353
‫Okay. So these are the parameters, for example.

56
00:02:56,370 --> 00:03:01,110
‫So as you can see, it's actually very possible

57
00:03:01,110 --> 00:03:04,060
‫that you get a detailed documentation

58
00:03:05,340 --> 00:03:08,970
‫having these sample requests and sample responses.

59
00:03:08,970 --> 00:03:12,330
‫Here we have the ID of the Instagram account.

60
00:03:12,330 --> 00:03:15,360
‫Here we have another request

61
00:03:15,360 --> 00:03:19,170
‫and here we get another response like this.

62
00:03:19,170 --> 00:03:21,420
‫As you can see, it's very possible.

63
00:03:21,420 --> 00:03:26,073
‫However, Instagram does not only use these APIs.

64
00:03:26,970 --> 00:03:30,030
‫Instagram has its own APIs.

65
00:03:30,030 --> 00:03:33,090
‫Rather than everything listed over here,

66
00:03:33,090 --> 00:03:37,110
‫they can follow some other accounts.

67
00:03:37,110 --> 00:03:38,910
‫They can like some other accounts.

68
00:03:38,910 --> 00:03:42,930
‫They do not include this kind of API endpoints

69
00:03:42,930 --> 00:03:45,720
‫in their business development APIs.

70
00:03:45,720 --> 00:03:46,553
‫Why?

71
00:03:46,553 --> 00:03:50,520
‫Because they do not need to give access to those APIs.

72
00:03:50,520 --> 00:03:55,170
‫They do not want developers to know how to send a comment,

73
00:03:55,170 --> 00:03:59,220
‫how to like another post because they do not let them.

74
00:03:59,220 --> 00:04:02,730
‫So there are two options over here.

75
00:04:02,730 --> 00:04:04,530
‫You can find those APIs.

76
00:04:04,530 --> 00:04:06,510
‫You can try to pen test them,

77
00:04:06,510 --> 00:04:08,940
‫of course if you are allowed to do so.

78
00:04:08,940 --> 00:04:11,940
‫And also you can pen test the endpoints

79
00:04:11,940 --> 00:04:14,013
‫that are listed in here as well.

80
00:04:15,060 --> 00:04:16,560
‫So far so good.

81
00:04:16,560 --> 00:04:20,370
‫So now I really think you understand

82
00:04:20,370 --> 00:04:23,100
‫that it depends on the situation.

83
00:04:23,100 --> 00:04:25,740
‫You may get a detailed information

84
00:04:25,740 --> 00:04:30,740
‫about the API data you are about to pen test or you may not.

85
00:04:30,780 --> 00:04:33,900
‫So depending on the situation,

86
00:04:33,900 --> 00:04:36,300
‫you're gonna have to work harder or not.

87
00:04:36,300 --> 00:04:39,452
‫But in this case, since this is a CTF,

88
00:04:39,452 --> 00:04:43,920
‫we even have this as a collection in the Postman.

89
00:04:43,920 --> 00:04:48,120
‫So we can do everything in a much more easier way.

90
00:04:48,120 --> 00:04:50,310
‫So over here we have the headers.

91
00:04:50,310 --> 00:04:52,800
‫And most of the time we're not even going to bother

92
00:04:52,800 --> 00:04:55,560
‫with the headers, we're just gonna work with the body.

93
00:04:55,560 --> 00:04:59,580
‫So if it send a request, we get a response back.

94
00:04:59,580 --> 00:05:01,980
‫So we have tried that this works,

95
00:05:01,980 --> 00:05:05,400
‫but right now we're just gonna deep dive into it.

96
00:05:05,400 --> 00:05:08,070
‫So first of all, I'm going to try

97
00:05:08,070 --> 00:05:11,160
‫and find the preferences of the postman

98
00:05:11,160 --> 00:05:14,670
‫because I want to make the fonts a little bit bigger.

99
00:05:14,670 --> 00:05:17,730
‫I believe you cannot see it in a clear way.

100
00:05:17,730 --> 00:05:18,630
‫Yeah, here you go.

101
00:05:18,630 --> 00:05:20,670
‫I believe that's much better.

102
00:05:20,670 --> 00:05:25,670
‫Right now in the body of the POST create user request,

103
00:05:25,980 --> 00:05:27,900
‫we have sent a username

104
00:05:27,900 --> 00:05:31,020
‫and a name and a course, apparently.

105
00:05:31,020 --> 00:05:32,520
‫Okay, like this.

106
00:05:32,520 --> 00:05:33,353
‫This was the name.

107
00:05:33,353 --> 00:05:34,950
‫This was the course that we have sent

108
00:05:34,950 --> 00:05:37,800
‫and also we have sent a password.

109
00:05:37,800 --> 00:05:39,300
‫And for a response back,

110
00:05:39,300 --> 00:05:44,100
‫we got a response and it actually includes an ID.

111
00:05:44,100 --> 00:05:47,370
‫So let me see what's going on inside of the API1.

112
00:05:47,370 --> 00:05:49,770
‫It says broken object level authorization.

113
00:05:49,770 --> 00:05:54,690
‫So this refers the OWASP Top 10, API Top 10,

114
00:05:54,690 --> 00:05:56,310
‫one of the top 10.

115
00:05:56,310 --> 00:06:01,310
‫So this means that we can actually try to get

116
00:06:02,160 --> 00:06:05,520
‫to see the details of the other users.

117
00:06:05,520 --> 00:06:07,680
‫So we are going to see something

118
00:06:07,680 --> 00:06:10,350
‫that we shouldn't be authorized to.

119
00:06:10,350 --> 00:06:11,550
‫Okay.

120
00:06:11,550 --> 00:06:14,190
‫So we are going to try and do that.

121
00:06:14,190 --> 00:06:15,240
‫And as you can see,

122
00:06:15,240 --> 00:06:19,590
‫as a hint it says that you can register yourself as a user.

123
00:06:19,590 --> 00:06:20,430
‫That's it.

124
00:06:20,430 --> 00:06:22,170
‫Is there something else?

125
00:06:22,170 --> 00:06:24,150
‫Let's see if there's something else.

126
00:06:24,150 --> 00:06:26,940
‫I'm gonna go to the resources and see.

127
00:06:26,940 --> 00:06:30,090
‫We don't have any resources in the API1.

128
00:06:30,090 --> 00:06:32,520
‫We have an API2 and 3.

129
00:06:32,520 --> 00:06:35,520
‫All we need to do is just work with the Postman then.

130
00:06:35,520 --> 00:06:39,540
‫Okay, so we already created the user.

131
00:06:39,540 --> 00:06:43,590
‫We already created the user using the POST request over here

132
00:06:43,590 --> 00:06:45,420
‫and we got a response back.

133
00:06:45,420 --> 00:06:49,440
‫But also we have a GET user request over here.

134
00:06:49,440 --> 00:06:53,190
‫Most probably we are gonna get the user details

135
00:06:53,190 --> 00:06:55,410
‫giving this user ID.

136
00:06:55,410 --> 00:06:59,130
‫And we know the user ID because it has been given to us

137
00:06:59,130 --> 00:07:03,360
‫when we have sent the request with the create user.

138
00:07:03,360 --> 00:07:04,890
‫The ID is five.

139
00:07:04,890 --> 00:07:07,260
‫Now, if I go to get user,

140
00:07:07,260 --> 00:07:08,940
‫as you can see in the parameters,

141
00:07:08,940 --> 00:07:10,350
‫there's nothing in the headers,

142
00:07:10,350 --> 00:07:12,990
‫there's nothing you should change.

143
00:07:12,990 --> 00:07:17,580
‫But over here we have an API authentication.

144
00:07:17,580 --> 00:07:20,490
‫And as you can see in the API authentication,

145
00:07:20,490 --> 00:07:22,260
‫we have a value.

146
00:07:22,260 --> 00:07:27,260
‫So it has a value, it has a current value over here,

147
00:07:27,330 --> 00:07:30,330
‫and it didn't have an initial value.

148
00:07:30,330 --> 00:07:32,340
‫So where did it come from?

149
00:07:32,340 --> 00:07:34,590
‫Because we don't have anything in the body

150
00:07:34,590 --> 00:07:37,410
‫and we even have the ID over here as well,

151
00:07:37,410 --> 00:07:40,050
‫like it has ID of five.

152
00:07:40,050 --> 00:07:42,000
‫So we didn't put that information.

153
00:07:42,000 --> 00:07:43,860
‫How did it happen?

154
00:07:43,860 --> 00:07:47,850
‫So as you can see, if we have the ID over here,

155
00:07:47,850 --> 00:07:50,673
‫but how does Postman know about this?

156
00:07:51,660 --> 00:07:53,850
‫So if you go to tests,

157
00:07:53,850 --> 00:07:55,440
‫as you can see there are some kind

158
00:07:55,440 --> 00:07:59,370
‫of JavaScript codes over here.

159
00:07:59,370 --> 00:08:01,800
‫It gets the response back.

160
00:08:01,800 --> 00:08:04,680
‫It gets the response back as adjacent request,

161
00:08:04,680 --> 00:08:09,680
‫as adjacent response, sorry, and takes the ID out of it.

162
00:08:10,110 --> 00:08:14,370
‫So you don't have to do anything with this tests.

163
00:08:14,370 --> 00:08:16,950
‫The reason that I'm showing you

164
00:08:16,950 --> 00:08:20,190
‫is that you can understand why this happens.

165
00:08:20,190 --> 00:08:22,590
‫As you can see, it gets the ID

166
00:08:22,590 --> 00:08:26,280
‫and it sets the idea as an environment variable.

167
00:08:26,280 --> 00:08:28,680
‫Like if I delete this and if I write five,

168
00:08:28,680 --> 00:08:32,670
‫that will be okay, but it does it for me.

169
00:08:32,670 --> 00:08:35,610
‫So if it doesn't work for you for some reason

170
00:08:35,610 --> 00:08:37,800
‫then you can do this manually.

171
00:08:37,800 --> 00:08:41,550
‫You can come over here and change the environment variable

172
00:08:41,550 --> 00:08:43,800
‫like the user ID to five.

173
00:08:43,800 --> 00:08:46,980
‫And also for this authentication.

174
00:08:46,980 --> 00:08:51,150
‫This authentication also has been defined in the tests.

175
00:08:51,150 --> 00:08:56,150
‫As you can see, it gets the username, it gets the password

176
00:08:56,220 --> 00:08:59,640
‫and it has like an algorithm over here.

177
00:08:59,640 --> 00:09:03,060
‫It encrypts the username column password

178
00:09:03,060 --> 00:09:05,160
‫with some kind of encryption

179
00:09:05,160 --> 00:09:08,730
‫and it becomes the authentication key.

180
00:09:08,730 --> 00:09:10,980
‫So this is a very standard thing to use

181
00:09:10,980 --> 00:09:15,870
‫in creating tokens when you try to do tests.

182
00:09:15,870 --> 00:09:20,700
‫And also it's given us over here in the console,

183
00:09:20,700 --> 00:09:22,080
‫it says console.log.

184
00:09:22,080 --> 00:09:25,590
‫So we should have seen that in the logs.

185
00:09:25,590 --> 00:09:28,530
‫Okay, I'm gonna show you have to look at the logs,

186
00:09:28,530 --> 00:09:33,330
‫but also it calls the Postman that set environment variable

187
00:09:33,330 --> 00:09:36,840
‫and it saves that value as an authentication token

188
00:09:36,840 --> 00:09:40,263
‫so that we don't have to copy and paste every time.

189
00:09:41,100 --> 00:09:43,830
‫So if it didn't have that functionality,

190
00:09:43,830 --> 00:09:46,200
‫then we would have to go over there

191
00:09:46,200 --> 00:09:48,780
‫and copy and paste it every time.

192
00:09:48,780 --> 00:09:51,060
‫The reason that I'm showing you this,

193
00:09:51,060 --> 00:09:56,040
‫the creator of the CTF actually made it possible for us

194
00:09:56,040 --> 00:09:59,043
‫not to deal with that kind of gibberish stuff.

195
00:10:00,330 --> 00:10:03,390
‫We are not going to copy and paste values

196
00:10:03,390 --> 00:10:07,110
‫because the tests over here

197
00:10:07,110 --> 00:10:09,270
‫actually made it possible for us.

198
00:10:09,270 --> 00:10:12,000
‫It saves it automatically.

199
00:10:12,000 --> 00:10:13,530
‫In a real pen test,

200
00:10:13,530 --> 00:10:16,290
‫again, maybe you need to copy and paste stuff

201
00:10:16,290 --> 00:10:18,420
‫like take the authentication token

202
00:10:18,420 --> 00:10:23,420
‫and give it in another value in another endpoint over there.

203
00:10:23,430 --> 00:10:27,690
‫But it does that automatically for us right now.

204
00:10:27,690 --> 00:10:31,920
‫If you understood that, then it is good.

205
00:10:31,920 --> 00:10:34,410
‫So over here, as we can see,

206
00:10:34,410 --> 00:10:35,717
‫it takes the username in

207
00:10:35,717 --> 00:10:37,380
‫and it takes the password,

208
00:10:37,380 --> 00:10:39,960
‫it encrypts them in somehow,

209
00:10:39,960 --> 00:10:44,460
‫and it actually saves it in the API1 authentication

210
00:10:44,460 --> 00:10:46,170
‫as a result over here.

211
00:10:46,170 --> 00:10:48,480
‫And you can see the current value

212
00:10:48,480 --> 00:10:51,150
‫of that authentication token.

213
00:10:51,150 --> 00:10:54,000
‫If you don't get for some reason,

214
00:10:54,000 --> 00:10:55,920
‫you can get it from the test results.

215
00:10:55,920 --> 00:10:57,360
‫As you can see, we don't see

216
00:10:57,360 --> 00:11:00,420
‫any kind of test results over here,

217
00:11:00,420 --> 00:11:04,350
‫but we can see it from the logs, I believe.

218
00:11:04,350 --> 00:11:06,600
‫Let me do that one more time.

219
00:11:06,600 --> 00:11:09,000
‫I'm just gonna go into the body.

220
00:11:09,000 --> 00:11:11,040
‫I'm gonna create another user

221
00:11:11,040 --> 00:11:14,190
‫so that you can follow exactly what's going on.

222
00:11:14,190 --> 00:11:17,040
‫I'm gonna call the zeynep.

223
00:11:17,040 --> 00:11:19,710
‫You can call the zeynep anything you want.

224
00:11:19,710 --> 00:11:24,710
‫And for the course, I'm just gonna say mobile pen testing.

225
00:11:24,930 --> 00:11:27,600
‫I'm just gonna change the password as well.

226
00:11:27,600 --> 00:11:30,390
‫Now, I'm gonna send this as a request

227
00:11:30,390 --> 00:11:33,033
‫and I'm going to open the console from here.

228
00:11:34,110 --> 00:11:38,340
‫So I'm gonna open the console, and here you go.

229
00:11:38,340 --> 00:11:40,710
‫So this already has everything over here

230
00:11:40,710 --> 00:11:44,520
‫and it already has the previous authentication token

231
00:11:44,520 --> 00:11:46,140
‫in the console as well.

232
00:11:46,140 --> 00:11:50,190
‫But if I send this, it will give me another ID.

233
00:11:50,190 --> 00:11:52,860
‫It will give me another authentication token.

234
00:11:52,860 --> 00:11:57,060
‫And as you can see, we have the new authentication token.

235
00:11:57,060 --> 00:12:01,080
‫Right now since it should have saved

236
00:12:01,080 --> 00:12:03,870
‫the ID authorization token.

237
00:12:03,870 --> 00:12:05,580
‫If we scroll down a little bit,

238
00:12:05,580 --> 00:12:09,570
‫we can see that the value has been changed right now.

239
00:12:09,570 --> 00:12:12,930
‫Right now it has the new authentication token

240
00:12:12,930 --> 00:12:17,930
‫and it should have the new API1 ID as well.

241
00:12:18,000 --> 00:12:19,140
‫Because we have the six,

242
00:12:19,140 --> 00:12:21,660
‫we have the authentication token over here.

243
00:12:21,660 --> 00:12:23,940
‫Right now if I send this GET request,

244
00:12:23,940 --> 00:12:27,453
‫as you can see, the current value of the ID is six.

245
00:12:28,350 --> 00:12:29,550
‫So if you didn't get that,

246
00:12:29,550 --> 00:12:31,830
‫you can copy and paste it from here

247
00:12:31,830 --> 00:12:35,100
‫to paste for the related sections,

248
00:12:35,100 --> 00:12:38,730
‫but most probably it'll work out for you fine.

249
00:12:38,730 --> 00:12:41,460
‫Now, it doesn't have anything in the body

250
00:12:41,460 --> 00:12:44,220
‫and I'm just going to just send a request

251
00:12:44,220 --> 00:12:48,480
‫because we already have all kind of variables that we need.

252
00:12:48,480 --> 00:12:50,700
‫So if I sent this as a request,

253
00:12:50,700 --> 00:12:54,240
‫we get the responses back like this.

254
00:12:54,240 --> 00:12:56,820
‫So I can get the response.

255
00:12:56,820 --> 00:12:58,470
‫So everything seems to be okay.

256
00:12:58,470 --> 00:13:00,723
‫So where is the vulnerability?

257
00:13:01,890 --> 00:13:04,650
‫So what did I say to begin with?

258
00:13:04,650 --> 00:13:08,470
‫We should see something that we shouldn't see

259
00:13:09,390 --> 00:13:12,180
‫in order to discover this vulnerability.

260
00:13:12,180 --> 00:13:17,010
‫Right now I have the API authentication for user six,

261
00:13:17,010 --> 00:13:21,540
‫but if I change this API ID to user five, for example,

262
00:13:21,540 --> 00:13:23,790
‫and just send this, as you can see,

263
00:13:23,790 --> 00:13:27,150
‫I can see the details of the user five.

264
00:13:27,150 --> 00:13:29,760
‫And if I just send the one,

265
00:13:29,760 --> 00:13:32,550
‫as you can see, I can see the first user,

266
00:13:32,550 --> 00:13:35,640
‫most probably an administrator user.

267
00:13:35,640 --> 00:13:37,170
‫So it's not secure.

268
00:13:37,170 --> 00:13:39,570
‫And here we have the flag.

269
00:13:39,570 --> 00:13:41,460
‫This is the first flag.

270
00:13:41,460 --> 00:13:43,710
‫Of course we are not even going to do something

271
00:13:43,710 --> 00:13:47,430
‫with the flags, but when we see a flag,

272
00:13:47,430 --> 00:13:50,550
‫we can understand that we solve that challenge.

273
00:13:50,550 --> 00:13:54,390
‫As you can see, we manage to get the first ID,

274
00:13:54,390 --> 00:13:56,490
‫first user information

275
00:13:56,490 --> 00:14:00,870
‫using the sixth user's authentication token.

276
00:14:00,870 --> 00:14:03,720
‫So basically we can change

277
00:14:03,720 --> 00:14:06,690
‫and see every user detail from here.

278
00:14:06,690 --> 00:14:08,490
‫And it means that,

279
00:14:08,490 --> 00:14:10,893
‫this is all the office characters, I believe.

280
00:14:11,910 --> 00:14:13,800
‫I hope you're an office fan.

281
00:14:13,800 --> 00:14:18,800
‫And also I hope you understood that if this was a real API,

282
00:14:20,220 --> 00:14:23,760
‫then we will just create a user.

283
00:14:23,760 --> 00:14:25,710
‫And with that user's token,

284
00:14:25,710 --> 00:14:28,170
‫with that user's authorization token,

285
00:14:28,170 --> 00:14:32,250
‫we could have gotten every single user password

286
00:14:32,250 --> 00:14:36,033
‫and user name or user details.

287
00:14:37,110 --> 00:14:39,240
‫So this is not secure.

288
00:14:39,240 --> 00:14:43,260
‫So it should have checked the user ID

289
00:14:43,260 --> 00:14:48,060
‫versus the user authentication token.

290
00:14:48,060 --> 00:14:52,590
‫If they don't match, it shouldn't have replied us back,

291
00:14:52,590 --> 00:14:54,960
‫but it did so it's not secure.

292
00:14:54,960 --> 00:14:56,310
‫And this is the vulnerability

293
00:14:56,310 --> 00:14:59,730
‫that we are trying to find out.

294
00:14:59,730 --> 00:15:00,930
‫And this is how it goes.

295
00:15:00,930 --> 00:15:04,560
‫This is how we are going to do our pen tests.

296
00:15:04,560 --> 00:15:07,050
‫I hope you understood it right now

297
00:15:07,050 --> 00:15:08,670
‫and we're gonna stop here

298
00:15:08,670 --> 00:15:11,010
‫and continue within the next one

299
00:15:11,010 --> 00:15:15,333
‫to go into the second API and find the vulnerability.