1 00:00:00,510 --> 00:00:03,270 ‫-: Hi, welcome to the last challenge. 2 00:00:03,270 --> 00:00:04,890 ‫Now we're gonna finish this up 3 00:00:04,890 --> 00:00:07,890 ‫and also have our closure in this lecture. 4 00:00:07,890 --> 00:00:09,570 ‫As you can see in the API 10 5 00:00:09,570 --> 00:00:12,120 ‫it says that nothing has been logged or monitored. 6 00:00:12,120 --> 00:00:13,290 ‫You caught us 7 00:00:13,290 --> 00:00:17,220 ‫and over here we have a get flag endpoint. 8 00:00:17,220 --> 00:00:19,260 ‫I believe this is a simple one. 9 00:00:19,260 --> 00:00:21,270 ‫He says that, I'm not kidding. 10 00:00:21,270 --> 00:00:22,860 ‫So let's go to API nine. 11 00:00:22,860 --> 00:00:23,693 ‫Of course. 12 00:00:23,693 --> 00:00:26,340 ‫Let's disable this intercept 13 00:00:26,340 --> 00:00:29,010 ‫and I believe we can close this down. 14 00:00:29,010 --> 00:00:30,390 ‫Okay, 15 00:00:30,390 --> 00:00:31,860 ‫and here you go. 16 00:00:31,860 --> 00:00:33,753 ‫Now, if I go to API 10, 17 00:00:34,740 --> 00:00:37,530 ‫as you can see I have to turn off the proxy 18 00:00:37,530 --> 00:00:41,250 ‫from here as well in order make to make this work 19 00:00:41,250 --> 00:00:43,680 ‫because Burp Suite was open all the time. 20 00:00:43,680 --> 00:00:47,100 ‫Now, if I come over here to get Flag API 21 00:00:47,100 --> 00:00:48,750 ‫and just send a request, 22 00:00:48,750 --> 00:00:50,610 ‫as you can see, we get the flag. 23 00:00:50,610 --> 00:00:52,170 ‫So this is a free one. 24 00:00:52,170 --> 00:00:53,940 ‫It says that, Hey, I didn't log 25 00:00:53,940 --> 00:00:56,370 ‫or monitor all the requests you have been sending. 26 00:00:56,370 --> 00:00:57,600 ‫That's on me. 27 00:00:57,600 --> 00:01:00,630 ‫So the idea over here is that 28 00:01:00,630 --> 00:01:01,710 ‫the outer 29 00:01:01,710 --> 00:01:03,840 ‫the creator of this challenge 30 00:01:03,840 --> 00:01:08,130 ‫didn't want us to go through hell in the last API. 31 00:01:08,130 --> 00:01:11,250 ‫And also he wanted us to remind that 32 00:01:11,250 --> 00:01:14,370 ‫we have to log everything. 33 00:01:14,370 --> 00:01:18,480 ‫Like we have to log this request and responses 34 00:01:18,480 --> 00:01:22,110 ‫in order to have a secure, completely secure API. 35 00:01:22,110 --> 00:01:26,370 ‫Because I have been hacking all this endpoints 36 00:01:26,370 --> 00:01:29,640 ‫so far, right, for the last three hours 37 00:01:29,640 --> 00:01:32,820 ‫and it appears that they didn't even log it in 38 00:01:32,820 --> 00:01:36,600 ‫so they don't know what the hell was going on. 39 00:01:36,600 --> 00:01:39,300 ‫So I'm going to close everything down. 40 00:01:39,300 --> 00:01:41,373 ‫Okay, we are done over here. 41 00:01:42,270 --> 00:01:46,260 ‫Now, I hope you have learned about the Postman usage. 42 00:01:46,260 --> 00:01:48,750 ‫Now you can use it fluently, right? 43 00:01:48,750 --> 00:01:52,710 ‫Maybe you learned about the Burp Suite a little bit more. 44 00:01:52,710 --> 00:01:55,140 ‫And most importantly, I believe you learned 45 00:01:55,140 --> 00:01:57,240 ‫about the API security, 46 00:01:57,240 --> 00:01:59,640 ‫how to find vulnerabilities in the endpoints, 47 00:01:59,640 --> 00:02:01,590 ‫and how to make them secure. 48 00:02:01,590 --> 00:02:04,500 ‫Now, this is a great way to pen test 49 00:02:04,500 --> 00:02:07,230 ‫and earn some bug bounty money. 50 00:02:07,230 --> 00:02:10,770 ‫Of course, if you are allowed to do so, 51 00:02:10,770 --> 00:02:13,290 ‫and again maybe you don't get that kind 52 00:02:13,290 --> 00:02:16,740 ‫of detailed documentation maybe you will, 53 00:02:16,740 --> 00:02:21,030 ‫but you remember that you can just find the endpoints 54 00:02:21,030 --> 00:02:23,490 ‫by just clicking on the website 55 00:02:23,490 --> 00:02:26,430 ‫and analyzing it on the Burp Suite 56 00:02:26,430 --> 00:02:29,730 ‫or analyzing the mobile application as well 57 00:02:29,730 --> 00:02:32,700 ‫using Burp suite, using it emulator. 58 00:02:32,700 --> 00:02:36,180 ‫Once you get the end point, then it's all on you. 59 00:02:36,180 --> 00:02:41,180 ‫And don't forget to disable this host from the Digital Ocean 60 00:02:41,580 --> 00:02:44,580 ‫or wherever you have created the server 61 00:02:44,580 --> 00:02:47,970 ‫so that your credit card won't get charged. 62 00:02:47,970 --> 00:02:49,230 ‫So far so good. 63 00:02:49,230 --> 00:02:51,270 ‫I hope you enjoyed this section. 64 00:02:51,270 --> 00:02:54,693 ‫We're gonna stop here and continue within the next one.