1
00:00:00,000 --> 00:00:01,083
‫-: Hi.

2
00:00:03,423 --> 00:00:04,256
‫Within this lecture we're gonna take a look

3
00:00:05,423 --> 00:00:06,803
‫at the API four, challenge four.

4
00:00:08,656 --> 00:00:09,510
‫So if you come over here to API four

5
00:00:10,980 --> 00:00:13,073
‫it says lack of resources and rate limiting.

6
00:00:14,890 --> 00:00:15,773
‫Okay, there is no rate limiting.

7
00:00:17,190 --> 00:00:18,823
‫So I immediately think that

8
00:00:18,823 --> 00:00:21,090
‫we are gonna be doing some kind of brute forcing

9
00:00:22,490 --> 00:00:23,963
‫or dictionary attack or something like that.

10
00:00:25,556 --> 00:00:27,956
‫But also it says that we believe OTPs are great.

11
00:00:30,090 --> 00:00:33,093
‫So which means that this is going to be something about OTP.

12
00:00:35,382 --> 00:00:36,215
‫So let's see what an OTP is.

13
00:00:37,356 --> 00:00:38,970
‫Over here, we are gonna give some mobile application

14
00:00:40,356 --> 00:00:41,656
‫or mobile number.

15
00:00:41,656 --> 00:00:43,043
‫It's just a phone number, okay, mobile number.

16
00:00:44,590 --> 00:00:46,290
‫And then we are going to do a post

17
00:00:48,153 --> 00:00:49,313
‫which will verify the OTP.

18
00:00:51,021 --> 00:00:52,793
‫So OTP stands for One Time Password.

19
00:00:54,123 --> 00:00:56,913
‫So it's kind of multi authentication thingy.

20
00:00:59,023 --> 00:01:01,020
‫So you log in and you get an SMS message

21
00:01:02,523 --> 00:01:04,253
‫or a message from a service to your phone.

22
00:01:05,923 --> 00:01:08,273
‫And you give that number, give that four digit,

23
00:01:10,223 --> 00:01:12,023
‫six digit number to the login system

24
00:01:13,890 --> 00:01:15,023
‫so that you can log in, okay?

25
00:01:16,623 --> 00:01:19,573
‫So this is multifactor authentication or one time password.

26
00:01:22,290 --> 00:01:24,890
‫Over here, after we do the OTP, we can get the user.

27
00:01:27,588 --> 00:01:28,553
‫So this is pretty obvious,

28
00:01:29,953 --> 00:01:31,990
‫of course we are gonna have to take a look

29
00:01:31,990 --> 00:01:33,878
‫at the postman as well

30
00:01:33,878 --> 00:01:35,423
‫to see what kind of things that we are going to do.

31
00:01:37,056 --> 00:01:39,503
‫But over here we have the clue, we have the hint,

32
00:01:40,848 --> 00:01:42,113
‫it says that we believe OTPs are great,

33
00:01:43,856 --> 00:01:45,906
‫but let's see what we can find about OTP.

34
00:01:47,823 --> 00:01:50,663
‫So over here we are already done with the API three and two.

35
00:01:52,156 --> 00:01:55,056
‫I'm gonna go ahead and try to log in to this phone number.

36
00:01:57,156 --> 00:01:57,989
‫Of course, this is not my phone number,

37
00:01:59,723 --> 00:02:02,003
‫this is just a regular example that is given to us.

38
00:02:03,723 --> 00:02:05,220
‫But anyway, even if we give the regular

39
00:02:06,590 --> 00:02:08,716
‫or or our own phone number

40
00:02:08,716 --> 00:02:09,720
‫I don't think we are going to receive any message

41
00:02:11,190 --> 00:02:13,056
‫and that is not the case.

42
00:02:13,056 --> 00:02:14,093
‫As you can see, if you send something,

43
00:02:15,556 --> 00:02:18,083
‫if you send a request like this, you get a message,

44
00:02:19,423 --> 00:02:21,563
‫you get a response saying that okay, everything is okay.

45
00:02:22,856 --> 00:02:25,156
‫But your four digit OTP sent on mobile number.

46
00:02:27,155 --> 00:02:29,105
‫So of course this doesn't belong to us.

47
00:02:30,490 --> 00:02:34,120
‫And the idea over here is that can we find the OTP

48
00:02:35,956 --> 00:02:38,756
‫or can we find one time password of another phone number

49
00:02:40,885 --> 00:02:41,718
‫so that we can hack them, right?

50
00:02:43,190 --> 00:02:44,310
‫So if you come over here to verify OTP

51
00:02:45,818 --> 00:02:47,918
‫as you can see we already have this, okay?

52
00:02:49,621 --> 00:02:50,454
‫We already have this headers and bodies,

53
00:02:51,656 --> 00:02:52,489
‫we don't have to change anything over here.

54
00:02:53,856 --> 00:02:55,733
‫Just we need to find the four digit number.

55
00:02:57,356 --> 00:02:58,456
‫If you find it,

56
00:02:58,456 --> 00:02:59,333
‫then we're gonna get an authentication key back.

57
00:03:01,648 --> 00:03:03,563
‫So easy, I'm just gonna send this and here you go.

58
00:03:04,989 --> 00:03:07,156
‫It says that invalid OTP.

59
00:03:07,156 --> 00:03:09,606
‫So what I'm going to do, I'm going to try and see

60
00:03:11,323 --> 00:03:13,960
‫if this is actually wrong OTP, wrong password

61
00:03:15,923 --> 00:03:17,623
‫or this is invalid.

62
00:03:17,623 --> 00:03:19,863
‫I'm gonna send something like 8,000, 7,000.

63
00:03:22,223 --> 00:03:25,887
‫I'm gonna see if we get any different response like this.

64
00:03:27,889 --> 00:03:29,383
‫Okay?

65
00:03:29,383 --> 00:03:32,890
‫So can it be any four digit number or it goes up to 2000.

66
00:03:35,223 --> 00:03:37,090
‫Something like that, okay?

67
00:03:37,090 --> 00:03:39,790
‫But as you can see, we don't get any different thingy.

68
00:03:41,523 --> 00:03:42,823
‫We already have seen this.

69
00:03:44,323 --> 00:03:46,270
‫We always get invalid OTP, which means

70
00:03:47,923 --> 00:03:49,583
‫that we are not getting the authentication token.

71
00:03:52,056 --> 00:03:54,533
‫And also, which means that it can be anything four digits.

72
00:03:56,156 --> 00:03:57,000
‫So I'm taking a look at the logs as well

73
00:03:58,856 --> 00:04:01,156
‫to see if there is something new,

74
00:04:01,156 --> 00:04:03,656
‫or if there is something wrong

75
00:04:04,650 --> 00:04:05,903
‫with each request that I have sent.

76
00:04:07,587 --> 00:04:09,504
‫But it doesn't seem so.

77
00:04:10,988 --> 00:04:12,773
‫Since we cannot find any more clues or hints,

78
00:04:14,565 --> 00:04:16,409
‫I believe what we have to do,

79
00:04:16,409 --> 00:04:17,340
‫we have to try and change the OTP

80
00:04:19,028 --> 00:04:21,190
‫starting from 1000, ending in 9,999

81
00:04:23,489 --> 00:04:26,089
‫and just brute force the whole possibilities, right?

82
00:04:28,315 --> 00:04:30,515
‫So what I'm going to do, as you might guess,

83
00:04:32,423 --> 00:04:35,323
‫is to send this request to the Burp Suite Intruder, right?

84
00:04:37,754 --> 00:04:38,693
‫If we manage to do that, then it's okay.

85
00:04:40,234 --> 00:04:41,093
‫We are gonna get the OTP eventually.

86
00:04:42,953 --> 00:04:43,786
‫So I'm going to come over here to settings

87
00:04:45,178 --> 00:04:46,011
‫and change the proxy one more time.

88
00:04:47,684 --> 00:04:48,900
‫So remember, we have to configure this proxy

89
00:04:50,513 --> 00:04:51,773
‫and the Burp Suite proxy in the same way.

90
00:04:53,485 --> 00:04:55,136
‫So I'm gonna open the Burp Suite,

91
00:04:55,136 --> 00:04:57,422
‫I'm gonna turn the intercept on

92
00:04:57,422 --> 00:04:59,003
‫and I'm just going to send the OTP one more time.

93
00:05:00,840 --> 00:05:03,113
‫So once I send that, I will just get this over here.

94
00:05:04,976 --> 00:05:06,720
‫And of course I'm going to send this to Intruder

95
00:05:08,321 --> 00:05:10,161
‫as we have done before.

96
00:05:10,161 --> 00:05:10,994
‫And we already have the host import.

97
00:05:12,714 --> 00:05:14,970
‫Now in the positions, if this is not labeled for you

98
00:05:16,685 --> 00:05:17,640
‫then you're gonna have to clear and edit yourself

99
00:05:19,343 --> 00:05:21,193
‫and make sure that this this is added

100
00:05:22,913 --> 00:05:23,746
‫as a parameter to be changed.

101
00:05:25,835 --> 00:05:27,748
‫Okay, and by the way,

102
00:05:27,748 --> 00:05:29,633
‫right now I'm using the Attack Tab type Sniper.

103
00:05:31,305 --> 00:05:33,240
‫We have used Pitchfork before, but remember I said

104
00:05:34,774 --> 00:05:37,103
‫that if we had only one parameter, then we would use Sniper.

105
00:05:38,603 --> 00:05:40,313
‫Now this is the time we can use the Sniper.

106
00:05:41,847 --> 00:05:42,743
‫We already have chosen it.

107
00:05:44,100 --> 00:05:47,587
‫We only have one parameter, so we only have one payload list

108
00:05:50,007 --> 00:05:51,263
‫and I'm not even going to create that list.

109
00:05:52,774 --> 00:05:54,923
‫I can just come over here and choose numbers, for example,

110
00:05:56,846 --> 00:05:59,340
‫and just state that indicate that it will start from 1000

111
00:06:00,868 --> 00:06:03,897
‫and it will go up to 9,000 or nine times 999, okay?

112
00:06:07,831 --> 00:06:11,053
‫So it'll just step one at a time and here you go.

113
00:06:13,340 --> 00:06:18,090
‫Now it will actually try 8,999 times, which is a lot, okay?

114
00:06:23,156 --> 00:06:23,989
‫And the idea over here is that,

115
00:06:25,333 --> 00:06:26,183
‫oh we can leave this by the way,

116
00:06:28,302 --> 00:06:29,135
‫we don't have that kind of thingy right now.

117
00:06:30,723 --> 00:06:32,523
‫The idea over here, I'm gonna start the attack.

118
00:06:32,523 --> 00:06:34,133
‫Of course, it's gonna take a lot of time.

119
00:06:35,707 --> 00:06:36,540
‫It will just try and try and try.

120
00:06:38,387 --> 00:06:40,487
‫But the idea over here is that the backend

121
00:06:42,363 --> 00:06:44,530
‫or the API should have anticipated this

122
00:06:46,493 --> 00:06:47,326
‫and should have rate limiting

123
00:06:48,649 --> 00:06:50,903
‫or some kind of protection mechanism against this.

124
00:06:53,086 --> 00:06:55,050
‫So over here it appears that it doesn't have that

125
00:06:56,262 --> 00:06:58,162
‫and we are not getting any kind of 500

126
00:06:59,919 --> 00:07:00,752
‫or any other error messages.

127
00:07:02,423 --> 00:07:04,023
‫We are trying and trying,

128
00:07:04,023 --> 00:07:05,663
‫of course I believe we couldn't find it yet,

129
00:07:07,918 --> 00:07:09,998
‫but we will eventually.

130
00:07:09,998 --> 00:07:10,831
‫So what I'm going to do, I'm gonna pause the video

131
00:07:12,301 --> 00:07:13,134
‫because it's gonna take so much time.

132
00:07:14,694 --> 00:07:16,803
‫After I find the relevant OTP,

133
00:07:18,666 --> 00:07:21,166
‫I'm gonna show it to you guys.

134
00:07:22,994 --> 00:07:24,379
‫Here you go.

135
00:07:24,379 --> 00:07:26,770
‫Now I found the OTP in here

136
00:07:29,075 --> 00:07:31,443
‫which is the request number 872.

137
00:07:33,553 --> 00:07:36,623
‫And it appears that the OTP should be 1872, okay?

138
00:07:39,188 --> 00:07:40,470
‫So I really suggest that you don't wait

139
00:07:41,985 --> 00:07:43,403
‫until this is done in your computer as well.

140
00:07:45,144 --> 00:07:46,697
‫Since this is just an example,

141
00:07:46,697 --> 00:07:48,000
‫if you have understood why we are doing this

142
00:07:49,369 --> 00:07:50,303
‫then it's okay, you can try with this number.

143
00:07:52,277 --> 00:07:54,216
‫But if we come over here in the response

144
00:07:54,216 --> 00:07:55,343
‫I already have the key, as you can see.

145
00:07:57,635 --> 00:08:00,295
‫Now I can send this to Repeater

146
00:08:00,295 --> 00:08:01,823
‫in order not to lose the packet, okay?

147
00:08:03,303 --> 00:08:04,973
‫So right click it and just send it to Repeater.

148
00:08:06,581 --> 00:08:07,860
‫And here you go.

149
00:08:07,860 --> 00:08:09,946
‫Again, I can just send it over here

150
00:08:09,946 --> 00:08:10,823
‫and I can get the success through over there.

151
00:08:12,744 --> 00:08:14,804
‫So what I'm going to do,

152
00:08:14,804 --> 00:08:16,613
‫I'm going to take that number and use it in my Postman.

153
00:08:18,609 --> 00:08:22,277
‫So let me come back and of course, yeah, here you go.

154
00:08:24,041 --> 00:08:25,956
‫It's still sending the request.

155
00:08:25,956 --> 00:08:26,903
‫So I'm just gonna turn off the proxy over here,

156
00:08:28,460 --> 00:08:30,289
‫turn off the intercept.

157
00:08:30,289 --> 00:08:32,539
‫I'm going to bring this down and here you go.

158
00:08:34,273 --> 00:08:35,453
‫So we can just send this from here as well,

159
00:08:36,903 --> 00:08:38,988
‫or we can go to get details

160
00:08:38,988 --> 00:08:39,821
‫and change the authentication token,

161
00:08:41,116 --> 00:08:42,451
‫whatever you want.

162
00:08:42,451 --> 00:08:44,326
‫I'm just gonna send this and here you go.

163
00:08:44,326 --> 00:08:46,050
‫We already have the key, so we can copy this key

164
00:08:47,642 --> 00:08:48,475
‫and use it in the get details,

165
00:08:50,193 --> 00:08:52,140
‫but I believe it's already saved in the Postman

166
00:08:53,871 --> 00:08:55,737
‫because of these tests.

167
00:08:55,737 --> 00:08:57,824
‫So I'm gonna come over here

168
00:08:57,824 --> 00:08:59,093
‫and just go to headers and here you go.

169
00:09:00,588 --> 00:09:01,713
‫Yeah, it's saved.

170
00:09:01,713 --> 00:09:02,790
‫If it wasn't, I can just delete it

171
00:09:04,340 --> 00:09:05,333
‫and just paste it over there.

172
00:09:06,931 --> 00:09:08,267
‫But here you go.

173
00:09:08,267 --> 00:09:09,702
‫Once I send this request

174
00:09:09,702 --> 00:09:11,783
‫I get the flag because now I'm able to reach it.

175
00:09:14,287 --> 00:09:15,835
‫So the idea over here is that

176
00:09:15,835 --> 00:09:16,793
‫even though the phone number is not mine,

177
00:09:18,363 --> 00:09:20,713
‫I brute force the OTP, since it was four digits

178
00:09:22,244 --> 00:09:25,173
‫it was possible to brute force because why not?

179
00:09:27,351 --> 00:09:29,460
‫Even though we had the community version, okay

180
00:09:31,275 --> 00:09:32,430
‫we had the community version, we waited a little bit

181
00:09:34,050 --> 00:09:36,087
‫but we got it done.

182
00:09:36,087 --> 00:09:37,943
‫If we had the perversion of brute, the Burp Suite,

183
00:09:39,786 --> 00:09:41,093
‫then it will take so less time, okay?

184
00:09:42,877 --> 00:09:43,830
‫So over here we managed to get the OTP

185
00:09:45,561 --> 00:09:46,410
‫and we managed to get the authentication token

186
00:09:48,143 --> 00:09:49,643
‫so that I can reach the ID one

187
00:09:51,429 --> 00:09:53,523
‫the json or something like that.

188
00:09:53,523 --> 00:09:54,862
‫We don't even know the json,

189
00:09:54,862 --> 00:09:55,695
‫we don't even have that phone number.

190
00:09:57,702 --> 00:09:59,693
‫So if you don't have rate limiting over here,

191
00:10:01,038 --> 00:10:02,993
‫if you don't have rate limiting, as you can see,

192
00:10:04,256 --> 00:10:06,006
‫someone can easily grab the API key

193
00:10:08,016 --> 00:10:09,570
‫or the authentication token for any user

194
00:10:10,912 --> 00:10:11,880
‫and can reach their data

195
00:10:13,562 --> 00:10:15,023
‫or use the system as if they were that person.

196
00:10:17,431 --> 00:10:18,843
‫So that was it.

197
00:10:18,843 --> 00:10:19,853
‫That was the challenge of API four.

198
00:10:21,555 --> 00:10:23,820
‫And it's a good case to understand

199
00:10:23,820 --> 00:10:26,973
‫the multi authentication factors, the OTP factors,

200
00:10:28,879 --> 00:10:29,712
‫they are considered to be safe

201
00:10:31,082 --> 00:10:32,783
‫if they are implemented in appropriate way.

202
00:10:34,540 --> 00:10:37,490
‫Unless they have this kind of vulnerability, they are safe.

203
00:10:39,563 --> 00:10:41,270
‫So far, so good.

204
00:10:41,270 --> 00:10:43,232
‫Now we are going to stop here

205
00:10:43,232 --> 00:10:44,065
‫and continue within the next lecture

206
00:10:45,444 --> 00:10:46,913
‫to solve the API five challenge.