1
00:00:00,300 --> 00:00:01,350
‫Instructor: Hi.

2
00:00:01,350 --> 00:00:04,080
‫Right now we have completed the challenge two,

3
00:00:04,080 --> 00:00:05,190
‫and within this lecture

4
00:00:05,190 --> 00:00:08,280
‫we're gonna go into the challenge three.

5
00:00:08,280 --> 00:00:11,250
‫So when we look at the API3,

6
00:00:11,250 --> 00:00:15,930
‫it says excessive data exposure. Okay.

7
00:00:15,930 --> 00:00:17,550
‫So, as a hint it says that

8
00:00:17,550 --> 00:00:19,380
‫we have all been there, right?

9
00:00:19,380 --> 00:00:21,388
‫Giving away too much data and

10
00:00:21,388 --> 00:00:24,690
‫the Dev showing it. Okay.

11
00:00:24,690 --> 00:00:25,740
‫And it says that,

12
00:00:25,740 --> 00:00:29,310
‫try the Android app in the resources folder.

13
00:00:29,310 --> 00:00:31,980
‫Great. Now, in the API3,

14
00:00:31,980 --> 00:00:35,220
‫I believe we are dealing with too much data.

15
00:00:35,220 --> 00:00:37,290
‫So, we are gonna get too much

16
00:00:37,290 --> 00:00:41,010
‫data in a response but we need to find it.

17
00:00:41,010 --> 00:00:42,510
‫And to make it harder,

18
00:00:42,510 --> 00:00:47,190
‫I believe they have created an Android application.

19
00:00:47,190 --> 00:00:50,700
‫So, we are gonna have to deal with that.

20
00:00:50,700 --> 00:00:55,020
‫So, we only have one create user post over here

21
00:00:55,020 --> 00:00:58,140
‫which is vAPI, API3 user.

22
00:00:58,140 --> 00:00:59,910
‫We're gonna have to give some username

23
00:00:59,910 --> 00:01:01,710
‫and password and name.

24
00:01:01,710 --> 00:01:05,460
‫Okay. So, let's do that first in the postman.

25
00:01:05,460 --> 00:01:07,740
‫I'm gonna go to create user,

26
00:01:07,740 --> 00:01:11,040
‫and I'm going to take a look at the headers.

27
00:01:11,040 --> 00:01:14,460
‫Nothing to change over here, I'm gonna go to the body.

28
00:01:14,460 --> 00:01:16,710
‫So username, password, and name.

29
00:01:16,710 --> 00:01:18,630
‫Great, so let's give some.

30
00:01:18,630 --> 00:01:19,620
‫I'm going to give

31
00:01:19,620 --> 00:01:22,050
‫a username, okay, "atil".

32
00:01:22,050 --> 00:01:25,170
‫I'm gonna give a password like "atil123",

33
00:01:25,170 --> 00:01:27,510
‫and just give your own name.

34
00:01:27,510 --> 00:01:29,190
‫And I'm just gonna send this,

35
00:01:29,190 --> 00:01:30,023
‫and here you go.

36
00:01:30,023 --> 00:01:31,957
‫We get the user back,

37
00:01:31,957 --> 00:01:34,770
‫"atil", and we get an id back.

38
00:01:34,770 --> 00:01:37,860
‫Okay, so we have this id over here,

39
00:01:37,860 --> 00:01:38,844
‫so we don't have

40
00:01:38,844 --> 00:01:41,160
‫anything else, I believe.

41
00:01:41,160 --> 00:01:42,990
‫Great, so we get this id,

42
00:01:42,990 --> 00:01:44,940
‫but we don't have any kind

43
00:01:44,940 --> 00:01:47,520
‫of excessive data over here.

44
00:01:47,520 --> 00:01:49,500
‫So, I believe we're gonna have to go

45
00:01:49,500 --> 00:01:51,664
‫and look at that Android application

46
00:01:51,664 --> 00:01:52,913
‫as they suggest in

47
00:01:52,913 --> 00:01:55,470
‫the documentation, right?

48
00:01:55,470 --> 00:01:56,370
‫So, we are gonna have

49
00:01:56,370 --> 00:01:58,830
‫to go into the resources folder.

50
00:01:58,830 --> 00:01:59,686
‫So most probably,

51
00:01:59,686 --> 00:02:02,430
‫we're gonna have to run an APK.

52
00:02:02,430 --> 00:02:04,200
‫So if you're taking this

53
00:02:04,200 --> 00:02:05,760
‫like in mobile application,

54
00:02:05,760 --> 00:02:08,370
‫or mobile ethical hacking course,

55
00:02:08,370 --> 00:02:09,750
‫then it's okay for you.

56
00:02:09,750 --> 00:02:12,990
‫You know how to run this APK.

57
00:02:12,990 --> 00:02:14,277
‫If you're watching this for

58
00:02:14,277 --> 00:02:16,500
‫the web pen testing course,

59
00:02:16,500 --> 00:02:18,106
‫I really recommend you guys

60
00:02:18,106 --> 00:02:20,610
‫just watch it from here, okay?

61
00:02:20,610 --> 00:02:22,168
‫Don't try to execute this.

62
00:02:22,168 --> 00:02:24,180
‫Because we are gonna have

63
00:02:24,180 --> 00:02:26,220
‫to install the Android studio,

64
00:02:26,220 --> 00:02:27,990
‫we are gonna have to install

65
00:02:27,990 --> 00:02:31,500
‫an emulator just to test this.

66
00:02:31,500 --> 00:02:34,470
‫It's taking like two hours,

67
00:02:34,470 --> 00:02:36,720
‫three hours to do that.

68
00:02:36,720 --> 00:02:38,610
‫Just don't bother with it.

69
00:02:38,610 --> 00:02:40,980
‫It's going to be very easy for me

70
00:02:40,980 --> 00:02:43,230
‫because I'm already an Android developer.

71
00:02:43,230 --> 00:02:45,750
‫I have everything in my computer,

72
00:02:45,750 --> 00:02:48,210
‫and you can just watch how it goes

73
00:02:48,210 --> 00:02:50,190
‫and take notes if you like.

74
00:02:50,190 --> 00:02:51,840
‫Okay, so if you don't have

75
00:02:51,840 --> 00:02:54,030
‫any Android emulator experience,

76
00:02:54,030 --> 00:02:57,210
‫or any Android studio experience before,

77
00:02:57,210 --> 00:02:58,713
‫just don't bother with it.

78
00:02:59,700 --> 00:03:01,240
‫Just for this challenge

79
00:03:01,240 --> 00:03:04,650
‫it doesn't make sense to install this.

80
00:03:04,650 --> 00:03:05,820
‫But what I'm going to do,

81
00:03:05,820 --> 00:03:08,400
‫I'm going to open the Android studio.

82
00:03:08,400 --> 00:03:10,170
‫I'm just gonna open a new project,

83
00:03:10,170 --> 00:03:12,510
‫or just select my existing ones

84
00:03:12,510 --> 00:03:15,180
‫because what I wanna do eventually,

85
00:03:15,180 --> 00:03:16,800
‫is to open an emulator,

86
00:03:16,800 --> 00:03:19,260
‫not just a project, okay?

87
00:03:19,260 --> 00:03:21,450
‫Because we already have an APK,

88
00:03:21,450 --> 00:03:22,283
‫I don't think we

89
00:03:22,283 --> 00:03:23,927
‫will be working something

90
00:03:23,927 --> 00:03:25,495
‫like a reverse engineering

91
00:03:25,495 --> 00:03:28,800
‫or something that complicated.

92
00:03:28,800 --> 00:03:30,390
‫We're just gonna listen,

93
00:03:30,390 --> 00:03:32,910
‫the incoming and outgoing request

94
00:03:32,910 --> 00:03:35,820
‫and responses for that APK.

95
00:03:35,820 --> 00:03:37,320
‫So, I'm going to open

96
00:03:37,320 --> 00:03:39,269
‫any project from here.

97
00:03:39,269 --> 00:03:41,100
‫So, this is a project that

98
00:03:41,100 --> 00:03:42,600
‫I have been working on

99
00:03:42,600 --> 00:03:44,910
‫with Kotlin, but it doesn't matter

100
00:03:44,910 --> 00:03:46,170
‫because what I'm gonna do,

101
00:03:46,170 --> 00:03:48,210
‫I'm gonna open the AVD manager.

102
00:03:48,210 --> 00:03:49,260
‫This is the virtual

103
00:03:49,260 --> 00:03:51,600
‫device manager for Android Studio,

104
00:03:51,600 --> 00:03:52,465
‫and I can just run

105
00:03:52,465 --> 00:03:55,740
‫any emulator that I want.

106
00:03:55,740 --> 00:03:58,380
‫So, I open an emulator,

107
00:03:58,380 --> 00:03:59,850
‫which is a virtual device

108
00:03:59,850 --> 00:04:01,530
‫of Android operating system,

109
00:04:01,530 --> 00:04:03,180
‫obviously as you can see.

110
00:04:03,180 --> 00:04:05,550
‫And, this is actually a virtual phone.

111
00:04:05,550 --> 00:04:07,680
‫Now, I can run the APK

112
00:04:07,680 --> 00:04:09,090
‫inside of this phone.

113
00:04:09,090 --> 00:04:09,923
‫And by the way,

114
00:04:09,923 --> 00:04:11,730
‫if you don't know what an APK is,

115
00:04:11,730 --> 00:04:13,500
‫it's an Android product,

116
00:04:13,500 --> 00:04:15,330
‫like an EXE file,

117
00:04:15,330 --> 00:04:18,060
‫but for the Android phones.

118
00:04:18,060 --> 00:04:19,050
‫We get on there,

119
00:04:19,050 --> 00:04:20,880
‫let me just try it one more time.

120
00:04:20,880 --> 00:04:22,770
‫Yeah, here you go, this time it worked.

121
00:04:22,770 --> 00:04:23,790
‫If it didn't work,

122
00:04:23,790 --> 00:04:25,050
‫I believe you're gonna have

123
00:04:25,050 --> 00:04:27,480
‫to sign this with jarsigner

124
00:04:27,480 --> 00:04:29,910
‫or any other tool that you want.

125
00:04:29,910 --> 00:04:31,080
‫If you watched the mobile

126
00:04:31,080 --> 00:04:32,520
‫ethical hacking course,

127
00:04:32,520 --> 00:04:34,710
‫now you know how to do that.

128
00:04:34,710 --> 00:04:36,660
‫If you're very curious about this,

129
00:04:36,660 --> 00:04:38,070
‫I can show you the comment.

130
00:04:38,070 --> 00:04:40,440
‫This is keytool and the jarsigner.

131
00:04:40,440 --> 00:04:41,940
‫These are two comments

132
00:04:41,940 --> 00:04:44,040
‫that is needed in order to run this.

133
00:04:44,040 --> 00:04:46,740
‫But in order to run these comments,

134
00:04:46,740 --> 00:04:47,610
‫you are gonna have to

135
00:04:47,610 --> 00:04:50,280
‫have the JDK installed on your computer.

136
00:04:50,280 --> 00:04:51,390
‫Once again,

137
00:04:51,390 --> 00:04:53,490
‫if you're not a mobile pen tester,

138
00:04:53,490 --> 00:04:55,110
‫or mobile application developer,

139
00:04:55,110 --> 00:04:56,760
‫just don't bother with it.

140
00:04:56,760 --> 00:04:58,983
‫If you're here for web pen test,

141
00:04:58,983 --> 00:05:00,576
‫just watch the rest

142
00:05:00,576 --> 00:05:02,850
‫and see how it goes.

143
00:05:02,850 --> 00:05:05,310
‫So I have installed the APK

144
00:05:05,310 --> 00:05:08,610
‫on this phone, and let's find it.

145
00:05:08,610 --> 00:05:10,050
‫Let me open the screen.

146
00:05:10,050 --> 00:05:12,600
‫Let's see what we called it,

147
00:05:12,600 --> 00:05:14,403
‫or what they called it.

148
00:05:15,300 --> 00:05:18,930
‫It's comment APK. Let's see the comment.

149
00:05:18,930 --> 00:05:21,150
‫Yeah, here you go. This is the one.

150
00:05:21,150 --> 00:05:22,980
‫Yeah, here you go. vAPI.

151
00:05:22,980 --> 00:05:25,740
‫Great splash screen, my friend.

152
00:05:25,740 --> 00:05:28,680
‫So over here, it asks for a base URL.

153
00:05:28,680 --> 00:05:30,207
‫So it should be the URL

154
00:05:30,207 --> 00:05:33,570
‫of our API, right? This one.

155
00:05:33,570 --> 00:05:35,400
‫So maybe we can just copy this

156
00:05:35,400 --> 00:05:37,650
‫and paste it over here.

157
00:05:37,650 --> 00:05:40,830
‫I don't think, yeah, we cannot do that.

158
00:05:40,830 --> 00:05:43,170
‫The clipboard doesn't work over here,

159
00:05:43,170 --> 00:05:44,730
‫so I'm gonna just write it.

160
00:05:44,730 --> 00:05:47,100
‫HTTP 1-3-4.

161
00:05:47,100 --> 00:05:49,860
‫Obviously, you need to write your own.

162
00:05:49,860 --> 00:05:52,200
‫And vAPI, here you go.

163
00:05:52,200 --> 00:05:54,771
‫Now, if I click on save,

164
00:05:54,771 --> 00:05:56,130
‫it will ask me for

165
00:05:56,130 --> 00:05:58,620
‫a user id and password, great.

166
00:05:58,620 --> 00:05:59,653
‫Now, we have this

167
00:05:59,653 --> 00:06:01,260
‫user id and password,

168
00:06:01,260 --> 00:06:04,050
‫because we created it via postman, right?

169
00:06:04,050 --> 00:06:05,670
‫So, the user ID should

170
00:06:05,670 --> 00:06:09,240
‫be two, user password.

171
00:06:09,240 --> 00:06:11,040
‫I don't know the password, yeah.

172
00:06:11,040 --> 00:06:13,530
‫Password is "atil123", great.

173
00:06:13,530 --> 00:06:15,873
‫Here you go, let's try to log in.

174
00:06:16,770 --> 00:06:21,570
‫It says that something wrong happened. Let's see.

175
00:06:21,570 --> 00:06:23,280
‫Let's try one more time,

176
00:06:23,280 --> 00:06:24,840
‫or let's try to create

177
00:06:24,840 --> 00:06:26,760
‫an account from here.

178
00:06:26,760 --> 00:06:27,690
‫Yeah, here we go.

179
00:06:27,690 --> 00:06:29,070
‫We have a screen over there.

180
00:06:29,070 --> 00:06:30,600
‫So for the user id,

181
00:06:30,600 --> 00:06:31,770
‫I'm just gonna go with three,

182
00:06:31,770 --> 00:06:34,860
‫because we already have two for the password.

183
00:06:34,860 --> 00:06:37,350
‫Again, I'm gonna go with "atil123".

184
00:06:37,350 --> 00:06:38,670
‫Display name, again,

185
00:06:38,670 --> 00:06:40,650
‫just choose whatever you want, man.

186
00:06:40,650 --> 00:06:43,527
‫I'm going to go with maybe "atil",

187
00:06:43,527 --> 00:06:46,320
‫but we have already used "atil", right?

188
00:06:46,320 --> 00:06:48,570
‫I'm gonna go with Atlas.

189
00:06:48,570 --> 00:06:49,980
‫So far, so good.

190
00:06:49,980 --> 00:06:51,750
‫I'm just gonna go with register,

191
00:06:51,750 --> 00:06:53,040
‫and here you go.

192
00:06:53,040 --> 00:06:54,786
‫Now I know the user id,

193
00:06:54,786 --> 00:06:57,817
‫which is three, and I know the password,

194
00:06:57,817 --> 00:07:01,260
‫"atil123", and try to log in.

195
00:07:01,260 --> 00:07:04,110
‫Yeah, here you go. We have logged in.

196
00:07:04,110 --> 00:07:06,390
‫So, let's see what this app is about.

197
00:07:06,390 --> 00:07:09,078
‫So, this app is about commenting,

198
00:07:09,078 --> 00:07:11,370
‫I believe, kind of a Twitter.

199
00:07:11,370 --> 00:07:14,010
‫So, I can write some comments

200
00:07:14,010 --> 00:07:16,050
‫and I can just send this comment

201
00:07:16,050 --> 00:07:17,580
‫by clicking over here.

202
00:07:17,580 --> 00:07:21,000
‫Maybe it asks for the location,

203
00:07:21,000 --> 00:07:24,120
‫I'm just gonna allow it, for some reason.

204
00:07:24,120 --> 00:07:25,620
‫And if I just send this,

205
00:07:25,620 --> 00:07:26,453
‫yeah, here you go.

206
00:07:26,453 --> 00:07:28,500
‫It works. It works great.

207
00:07:28,500 --> 00:07:31,710
‫Now, this is a great application,

208
00:07:31,710 --> 00:07:33,540
‫but I don't see any issue over here

209
00:07:33,540 --> 00:07:35,869
‫because we are not seeing any kind

210
00:07:35,869 --> 00:07:37,950
‫of JSON responses,

211
00:07:37,950 --> 00:07:39,900
‫or we are not seeing the request

212
00:07:39,900 --> 00:07:41,460
‫that we are making, right?

213
00:07:41,460 --> 00:07:43,320
‫Because this is an application,

214
00:07:43,320 --> 00:07:45,180
‫user will only see what

215
00:07:45,180 --> 00:07:46,830
‫developer allowed us to see

216
00:07:46,830 --> 00:07:49,050
‫like the user interface.

217
00:07:49,050 --> 00:07:50,280
‫So what we need to do,

218
00:07:50,280 --> 00:07:53,010
‫we need to of course burp suite this.

219
00:07:53,010 --> 00:07:56,130
‫We need to intercept this package

220
00:07:56,130 --> 00:07:57,600
‫with the burp suite.

221
00:07:57,600 --> 00:08:00,240
‫So, we are going to use the proxy again

222
00:08:00,240 --> 00:08:02,130
‫with the intercept on,

223
00:08:02,130 --> 00:08:03,420
‫but we need to make sure

224
00:08:03,420 --> 00:08:06,510
‫that our emulator has the same proxies.

225
00:08:06,510 --> 00:08:10,380
‫So, I open the settings of this emulator,

226
00:08:10,380 --> 00:08:11,730
‫and if you go to settings,

227
00:08:11,730 --> 00:08:14,010
‫as you can see, there is a proxy section.

228
00:08:14,010 --> 00:08:14,843
‫I'm gonna go with

229
00:08:14,843 --> 00:08:17,670
‫the manual proxy configuration this time.

230
00:08:17,670 --> 00:08:19,320
‫And for the host name,

231
00:08:19,320 --> 00:08:21,810
‫I'm just gonna go with 1-2-7-0-0-1,

232
00:08:21,810 --> 00:08:26,580
‫and port number will be 80-80, not only 80.

233
00:08:26,580 --> 00:08:29,670
‫So, this would be the same with this.

234
00:08:29,670 --> 00:08:31,410
‫Okay, great.

235
00:08:31,410 --> 00:08:33,300
‫Now I'm gonna say apply,

236
00:08:33,300 --> 00:08:34,860
‫and I'm going to try

237
00:08:34,860 --> 00:08:37,080
‫and send something from here,

238
00:08:37,080 --> 00:08:40,020
‫and let's see if we can capture this.

239
00:08:40,020 --> 00:08:42,540
‫So let's send this, and here you go.

240
00:08:42,540 --> 00:08:44,940
‫We managed to capture this.

241
00:08:44,940 --> 00:08:46,650
‫So we can see what kind

242
00:08:46,650 --> 00:08:50,250
‫of things that we have inside of this request.

243
00:08:50,250 --> 00:08:53,070
‫We have the device id, we have the latitude,

244
00:08:53,070 --> 00:08:55,230
‫and longitude and everything.

245
00:08:55,230 --> 00:08:56,640
‫So, intercept is on.

246
00:08:56,640 --> 00:08:59,160
‫I'm just gonna turn this off,

247
00:08:59,160 --> 00:09:00,810
‫because what I wanna do,

248
00:09:00,810 --> 00:09:03,739
‫I want to see what happens

249
00:09:03,739 --> 00:09:06,330
‫when we log in from scratch.

250
00:09:06,330 --> 00:09:08,310
‫I'm just gonna close this down,

251
00:09:08,310 --> 00:09:10,920
‫and I'm just gonna come over here.

252
00:09:10,920 --> 00:09:13,140
‫What I really try, I'm trying to do

253
00:09:13,140 --> 00:09:15,534
‫is to get all the responses back,

254
00:09:15,534 --> 00:09:17,520
‫like with the login response

255
00:09:17,520 --> 00:09:20,010
‫and everything so that we can be sure

256
00:09:20,010 --> 00:09:22,080
‫that we get the flag and we get to see

257
00:09:22,080 --> 00:09:23,730
‫what kind of excessive data

258
00:09:23,730 --> 00:09:24,753
‫that we are getting.

259
00:09:25,590 --> 00:09:29,160
‫So, but the problem is I cannot log in,

260
00:09:29,160 --> 00:09:32,310
‫so I'm going to delete this app. Okay?

261
00:09:32,310 --> 00:09:33,143
‫I'm just going to delete

262
00:09:33,143 --> 00:09:37,350
‫this application so that I can install

263
00:09:37,350 --> 00:09:40,353
‫it one more time and then I can log in.

264
00:09:41,190 --> 00:09:42,390
‫But for some reason,

265
00:09:42,390 --> 00:09:44,760
‫I cannot delete this application.

266
00:09:44,760 --> 00:09:47,880
‫I believe the emulator got stuck.

267
00:09:47,880 --> 00:09:51,030
‫As you can see, I cannot do anything right now.

268
00:09:51,030 --> 00:09:53,130
‫Let me try to close this.

269
00:09:53,130 --> 00:09:54,510
‫As you can see, it doesn't work.

270
00:09:54,510 --> 00:09:57,363
‫So my emulator got stuck somehow,

271
00:09:58,260 --> 00:09:59,340
‫and I cannot even

272
00:09:59,340 --> 00:10:00,630
‫delete this application.

273
00:10:00,630 --> 00:10:01,860
‫So if you come across

274
00:10:01,860 --> 00:10:03,150
‫in a situation like this,

275
00:10:03,150 --> 00:10:05,760
‫just make sure you quit this, okay?

276
00:10:05,760 --> 00:10:06,900
‫And make sure you open

277
00:10:06,900 --> 00:10:09,270
‫the Android studio one more time,

278
00:10:09,270 --> 00:10:11,190
‫and make sure you wipe the data

279
00:10:11,190 --> 00:10:13,320
‫or just delete that emulator,

280
00:10:13,320 --> 00:10:15,033
‫and install it one more time.

281
00:10:16,050 --> 00:10:17,610
‫So what I'm going to do,

282
00:10:17,610 --> 00:10:20,070
‫I'm going to go into the AVD manager,

283
00:10:20,070 --> 00:10:22,800
‫and I'm going to find my emulator.

284
00:10:22,800 --> 00:10:24,870
‫Of course, I can just install another one,

285
00:10:24,870 --> 00:10:26,730
‫but I'm just gonna do with this.

286
00:10:26,730 --> 00:10:28,647
‫I'm just gonna wipe the data

287
00:10:28,647 --> 00:10:31,440
‫and it will reset this emulator,

288
00:10:31,440 --> 00:10:34,350
‫and I'm going to open it from scratch.

289
00:10:34,350 --> 00:10:36,120
‫The only downside over here

290
00:10:36,120 --> 00:10:37,860
‫is that we are going to have to wait

291
00:10:37,860 --> 00:10:40,470
‫a little bit to initialize this emulator.

292
00:10:40,470 --> 00:10:41,490
‫And also of course,

293
00:10:41,490 --> 00:10:42,360
‫we are going to lose

294
00:10:42,360 --> 00:10:44,670
‫the data inside of that emulator,

295
00:10:44,670 --> 00:10:45,990
‫but it doesn't even matter

296
00:10:45,990 --> 00:10:48,330
‫because it's just an emulator, right?

297
00:10:48,330 --> 00:10:52,860
‫It's designed to be reset, if it's needed.

298
00:10:52,860 --> 00:10:55,050
‫Great. Now it's open.

299
00:10:55,050 --> 00:10:55,883
‫One more time,

300
00:10:55,883 --> 00:10:58,620
‫I'm just gonna go to the resources.

301
00:10:58,620 --> 00:11:00,960
‫Yep, that's not it, that's it.

302
00:11:00,960 --> 00:11:03,704
‫For the APK, and I'm just going

303
00:11:03,704 --> 00:11:07,086
‫to drag the APK to the emulator,

304
00:11:07,086 --> 00:11:09,060
‫and see if we can install it.

305
00:11:09,060 --> 00:11:09,990
‫Yeah, here you go.

306
00:11:09,990 --> 00:11:11,940
‫We managed to install this.

307
00:11:11,940 --> 00:11:16,530
‫So I'm going to open the vAPI one more time,

308
00:11:16,530 --> 00:11:18,180
‫but before we log in,

309
00:11:18,180 --> 00:11:20,373
‫or before we create an account,

310
00:11:21,960 --> 00:11:23,670
‫and let me just give the URL.

311
00:11:23,670 --> 00:11:24,600
‫Before we log in,

312
00:11:24,600 --> 00:11:26,340
‫I'm just going to make sure

313
00:11:26,340 --> 00:11:27,690
‫we have the proxy,

314
00:11:27,690 --> 00:11:30,030
‫but before we go with the proxy,

315
00:11:30,030 --> 00:11:31,560
‫I'm just gonna give this

316
00:11:31,560 --> 00:11:33,930
‫vAPI URL from scratch.

317
00:11:33,930 --> 00:11:36,720
‫Okay, make sure you do the same thing.

318
00:11:36,720 --> 00:11:38,820
‫So I'm going to say save,

319
00:11:38,820 --> 00:11:39,690
‫and here you go.

320
00:11:39,690 --> 00:11:41,580
‫Now, we need to log in.

321
00:11:41,580 --> 00:11:42,750
‫I believe we can log in

322
00:11:42,750 --> 00:11:44,100
‫with the same credentials,

323
00:11:44,100 --> 00:11:44,933
‫but I'm going to

324
00:11:44,933 --> 00:11:47,790
‫turn the proxy on like this.

325
00:11:47,790 --> 00:11:49,590
‫Okay, it's already on.

326
00:11:49,590 --> 00:11:50,550
‫So I'm going to go

327
00:11:50,550 --> 00:11:51,750
‫into the burp suite,

328
00:11:51,750 --> 00:11:53,970
‫and turn the intercept on.

329
00:11:53,970 --> 00:11:57,390
‫Now, it started to capture the packets.

330
00:11:57,390 --> 00:12:00,480
‫Most probably, it captures the Google services,

331
00:12:00,480 --> 00:12:01,763
‫or something like that.

332
00:12:01,763 --> 00:12:03,240
‫For the user ID,

333
00:12:03,240 --> 00:12:05,520
‫I'm gonna go with 3 for the password.

334
00:12:05,520 --> 00:12:07,410
‫I'm gonna go with "atil123",

335
00:12:07,410 --> 00:12:08,940
‫and I will log in.

336
00:12:08,940 --> 00:12:09,773
‫Here you go.

337
00:12:09,773 --> 00:12:13,170
‫We are sending this username and password.

338
00:12:13,170 --> 00:12:14,580
‫So what I wanna do,

339
00:12:14,580 --> 00:12:16,290
‫I want to check the post,

340
00:12:16,290 --> 00:12:17,302
‫and I want to check,

341
00:12:17,302 --> 00:12:18,933
‫send this to repeater.

342
00:12:20,100 --> 00:12:21,570
‫So, in the repeater,

343
00:12:21,570 --> 00:12:22,560
‫I will just send this

344
00:12:22,560 --> 00:12:24,600
‫and see the response.

345
00:12:24,600 --> 00:12:25,650
‫Yep, here you go.

346
00:12:25,650 --> 00:12:27,600
‫For the response, we have the success true,

347
00:12:27,600 --> 00:12:29,280
‫and the username as well.

348
00:12:29,280 --> 00:12:31,020
‫But for some reason,

349
00:12:31,020 --> 00:12:32,010
‫we don't have any

350
00:12:32,010 --> 00:12:34,260
‫excessive data exposure, right?

351
00:12:34,260 --> 00:12:35,430
‫We are not seeing,

352
00:12:35,430 --> 00:12:37,890
‫at least I cannot see any excessive data.

353
00:12:37,890 --> 00:12:40,950
‫We only get the success and the user name.

354
00:12:40,950 --> 00:12:43,387
‫So I'm going to go into

355
00:12:43,387 --> 00:12:45,660
‫the proxy and send this.

356
00:12:45,660 --> 00:12:47,190
‫I'm just going to forward this,

357
00:12:47,190 --> 00:12:50,430
‫and forward that as well, obviously.

358
00:12:50,430 --> 00:12:53,400
‫And forward, since we are not getting

359
00:12:53,400 --> 00:12:55,830
‫we are not getting anything back,

360
00:12:55,830 --> 00:12:56,880
‫but I believe we need to

361
00:12:56,880 --> 00:12:57,840
‫do it one more time.

362
00:12:57,840 --> 00:13:00,210
‫I'm just gonna log in and forward this

363
00:13:00,210 --> 00:13:03,090
‫again and again, and here you go.

364
00:13:03,090 --> 00:13:05,430
‫Okay, we are inside of the comment app.

365
00:13:05,430 --> 00:13:06,960
‫Still, we are getting some packets.

366
00:13:06,960 --> 00:13:08,487
‫I'm just going to forward everything,

367
00:13:08,487 --> 00:13:10,380
‫until we get nothing

368
00:13:10,380 --> 00:13:13,380
‫and go into the HTTP history tab.

369
00:13:13,380 --> 00:13:15,060
‫Now, I will check everything

370
00:13:15,060 --> 00:13:17,220
‫that I have done so far.

371
00:13:17,220 --> 00:13:19,110
‫So for the post request,

372
00:13:19,110 --> 00:13:20,877
‫I'm getting some responses

373
00:13:20,877 --> 00:13:23,100
‫back for the get request.

374
00:13:23,100 --> 00:13:24,000
‫Yeah, here you go.

375
00:13:24,000 --> 00:13:25,523
‫For the get requests,

376
00:13:25,523 --> 00:13:28,080
‫we are getting a lot of responses

377
00:13:28,080 --> 00:13:30,210
‫and we get a flag.

378
00:13:30,210 --> 00:13:31,560
‫So what happened?

379
00:13:31,560 --> 00:13:33,603
‫What was the thing over here?

380
00:13:34,560 --> 00:13:39,560
‫So I think that in the vAPI, API3 comment endpoint,

381
00:13:39,810 --> 00:13:42,000
‫we are making a get request,

382
00:13:42,000 --> 00:13:44,820
‫and we're getting a lot of data.

383
00:13:44,820 --> 00:13:45,690
‫As you can see,

384
00:13:45,690 --> 00:13:48,360
‫from the response of this request,

385
00:13:48,360 --> 00:13:50,850
‫we are getting the device id,

386
00:13:50,850 --> 00:13:52,770
‫we are getting the latitude,

387
00:13:52,770 --> 00:13:55,950
‫and longitude, and comment text.

388
00:13:55,950 --> 00:13:58,260
‫And the idea over here is that,

389
00:13:58,260 --> 00:14:00,283
‫even though the developer

390
00:14:00,283 --> 00:14:03,840
‫is not showing us this information,

391
00:14:03,840 --> 00:14:05,340
‫even though we are not seeing

392
00:14:05,340 --> 00:14:07,410
‫the latitude and longitude,

393
00:14:07,410 --> 00:14:08,550
‫remember this asked

394
00:14:08,550 --> 00:14:11,280
‫for a location permission.

395
00:14:11,280 --> 00:14:14,820
‫So, it gathered our latitude and longitude.

396
00:14:14,820 --> 00:14:16,290
‫It's not showing that,

397
00:14:16,290 --> 00:14:17,880
‫it's not showing the latitude

398
00:14:17,880 --> 00:14:20,250
‫and longitude to us.

399
00:14:20,250 --> 00:14:22,113
‫But, it doesn't mean that

400
00:14:22,113 --> 00:14:24,150
‫we cannot see it.

401
00:14:24,150 --> 00:14:26,280
‫The idea over here is that,

402
00:14:26,280 --> 00:14:27,540
‫even if you're not going

403
00:14:27,540 --> 00:14:29,370
‫to show it to the user,

404
00:14:29,370 --> 00:14:32,400
‫even, if it's not necessary,

405
00:14:32,400 --> 00:14:34,110
‫then just don't send it

406
00:14:34,110 --> 00:14:36,720
‫with the response, right?

407
00:14:36,720 --> 00:14:39,540
‫Because a hacker can easily listen

408
00:14:39,540 --> 00:14:42,930
‫for the responses, and just get the JSON back,

409
00:14:42,930 --> 00:14:45,480
‫and get all this data that

410
00:14:45,480 --> 00:14:47,940
‫they're not supposed to be seeing.

411
00:14:47,940 --> 00:14:48,930
‫That is the idea.

412
00:14:48,930 --> 00:14:52,410
‫That is why we got the flag, back over here.

413
00:14:52,410 --> 00:14:54,300
‫So that is the definition

414
00:14:54,300 --> 00:14:57,060
‫of the excessive data exposure.

415
00:14:57,060 --> 00:14:59,760
‫So, even if you didn't exercise that,

416
00:14:59,760 --> 00:15:01,590
‫even if you didn't have

417
00:15:01,590 --> 00:15:03,870
‫the Android studio and the emulator,

418
00:15:03,870 --> 00:15:06,120
‫I believe you get the idea.

419
00:15:06,120 --> 00:15:08,850
‫This is not only for mobile applications.

420
00:15:08,850 --> 00:15:11,280
‫This is for APIs for the web as well.

421
00:15:11,280 --> 00:15:12,120
‫If you're not going

422
00:15:12,120 --> 00:15:14,490
‫to be using that data,

423
00:15:14,490 --> 00:15:17,460
‫and even if it's a sensitive data,

424
00:15:17,460 --> 00:15:19,710
‫the location is sensitive,

425
00:15:19,710 --> 00:15:21,690
‫then just don't do it.

426
00:15:21,690 --> 00:15:24,210
‫Just don't send that as a response back,

427
00:15:24,210 --> 00:15:27,510
‫because a hacker can easily get this.

428
00:15:27,510 --> 00:15:30,000
‫Okay. So what I'm going to do,

429
00:15:30,000 --> 00:15:31,710
‫I'm going to stop here

430
00:15:31,710 --> 00:15:33,810
‫and continue within the next lecture

431
00:15:33,810 --> 00:15:35,793
‫for the next challenge.