Finding Your First Bug: Reading JSON and XML for Information Disclosure
Рет қаралды 13,908
Күн бұрынIn this video we cover how to read JSON and XML specifically to find information disclosure vulnerabilities. We cover how to approach a target when a URL returns JSON or XML, how to know if you've found an info disclosure - and how to exploit it! I want to really demystify JSON/XML and make you feel more at ease with how JSON/XML works and how you can read it. We also cover other vulnerabilities that might exist when a URL returns JSON or XML.
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
Further reading:
- JSON Formatter: jsonformatter.org
- JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions: hackerone.com/reports/509924
- An invite-only's program submission state is accessible to users no longer part of the program: hackerone.com/reports/800109
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users: hackerone.com/reports/724944
- Team member with Program permission only can escalate to Admin permission: hackerone.com/reports/605720
@dhruvkandpal9909 3 жыл бұрын
We need a video on XXE! Excellent explanation ma'am!
@danielmaina4817 3 жыл бұрын
JSON... just what I needed
@nathangriffiths8809 3 жыл бұрын
Very informative video Katie, you answered a lot of the questions rattling around in my head. I hope you don't mind me saying, you are getting a real pro at these videos now. Congrats!
@InsiderPhD 3 жыл бұрын
😊😊😊😊😊😊 thank you I’m really trying to improve everything I can
@Abhi-kp1fs 3 жыл бұрын
Thanks a lot, this was really helpful!
@1980cantrell 7 ай бұрын
Love your videos .... please do NOT stop..... ❤🎉🎉🎉🎉🎉🎉🎉🎉
@hackersguild8445 3 жыл бұрын
Thanks for sharing. That's really some cool information in the video.:)
@rianislam8155 3 жыл бұрын
those are really helpful for the newcomers...thanks for this
@cardzzz6585 3 жыл бұрын
Hey Katie! Thanks for this video! This is not a very popular topic so I really appreciate it!!!!
@InsiderPhD 3 жыл бұрын
You're welcome! I think a lot of people get intimidated by seeing JSON/XML and don't really know what to do, so I wanted to make this so people can really get into API hacking with me! Especially with future videos covering APIs!
@cardzzz6585 3 жыл бұрын
InsiderPhD totally!! I know with me, API’s are really intimidating and it’s definitely a weak point in my websec knowledge! So these videos are a great help
@DeLFeTube 2 жыл бұрын
Another great video! Yes - please create an XXE video :)
@holybugx 3 жыл бұрын
Nice Video , Thanks
@MrPaddy35 3 жыл бұрын
you are definitely right, if there is lods of json , i mostly thing its system things and just ignore it
@ViralComparison Жыл бұрын
Thanks😄
@BlokeBritish 3 жыл бұрын
Crocodile Brackets !! haha subscribed
@davidt01 3 жыл бұрын
Voting for XXE video.
@InsiderPhD 3 жыл бұрын
Your vote has been noted!
@davidt01 3 жыл бұрын
@@InsiderPhD Hey, I have a question. So what if I can change the content type to application/xml, and it accepts it, but when I try a blind xxe to get a url, the request originates from my ip address. I got it to send a request, but instead of server side, it's from my ip address. Does that mean it's not vulnerable? I've tried other payloads but they don't work.
@ismailramzan8927 3 жыл бұрын
Thanks 😊
@InsiderPhD 3 жыл бұрын
No problem 😊
@helalsadat2077 Күн бұрын
By Learning From You , You Will See One Day i Will Tag You in a Tweet , thank you very much i am learning alot about API hacking From your videos and Corey J Ball's Book , Lot Of Love and Respect , God Bless You
@mi2has 3 жыл бұрын
Yes make video on XXE
@ca7986 3 жыл бұрын
❤️
@sankarghosh172 3 жыл бұрын
11:22 It is a graphql response with Json data ....
@faique2995 3 жыл бұрын
😍😍😍
@0xx039 3 жыл бұрын
is JSON really intimidating ? I love to see JSON responses
@InsiderPhD 3 жыл бұрын
I did a poll and some of the discussions resolved around feeling intimidated by APIs and JSON, I wanted to get a video out there just in case esp as I’m doing a ton of videos on API hacking!
@davidg9469 3 жыл бұрын
Hi! I'd like your opinion on the platform INE Training, I don't know if it's worth it. Have you used it? Have you known anybody who has? They're quite expensive. Cheers mate!
@InsiderPhD 3 жыл бұрын
I’m not familiar with it! The only platform I do have experience with is Pentesterlab and I do recommend that one with a *. I’ll ask around and see!
@davidg9469 3 жыл бұрын
@@InsiderPhD on the 20th of this month, they'll be having s seminar about their new Cyber Security course, I'll stay tuned. Thanks for your help.
@shrirangkahale 3 жыл бұрын
Note: GDPR applies to all programs that have European Users..
@imaadfaki5585 3 жыл бұрын
Is that JSON from your university API from pervious videos?
@InsiderPhD 3 жыл бұрын
Yup! I worked hard on that damn thing so I’m going to expand it! It has a few new vulns for a blind XSS now :D!
@InsiderPhD 3 жыл бұрын
Send me a @ on twitter for your prize :)
@imaadfaki5585 3 жыл бұрын
@@InsiderPhD it's @yaboi_kryp2o
@shrirangkahale 3 жыл бұрын
3 rd!!
@InsiderPhD 3 жыл бұрын
You'll get first soon ;)
@zoroatokpas8761 3 жыл бұрын
There is always one question on my mind iwhat is the difference between API endpoint and directory same ? : dumb qustn i guess, I cannot think of differences :(
@InsiderPhD 3 жыл бұрын
No stupid questions here! An endpoint is like a URL that does something so KZfaq.com/watch?v=whatever resolves into a video but KZfaq.com/watch doesn’t do anything so that’s not an endpoint A directory actually stores stuff, so think the files for the videos KZfaq, but you usually need a direct link unless you can see into the folder. Hope that helps!
@zoroatokpas8761 3 жыл бұрын
@@InsiderPhD Haha thank you !! this cleared me !! your video motivates me to learn more and more :!!
@Star-mi5ix 3 жыл бұрын
Do you need to go to college to do bug bounty
@InsiderPhD 3 жыл бұрын
No, but I think university is useful for other reasons, to meet people, be exposed to lots of different careers and to broaden your horizons!
@Star-mi5ix 3 жыл бұрын
InsiderPhD thank you I’m doing a course & I was worried if I need to go to school too & I wasted my time
@himalrawal7511 3 жыл бұрын
How to see json data in real world application
@InsiderPhD 3 жыл бұрын
You see it a lot in mobile apps, but keep an eye out for app that automatically refresh like yahoo mail or apps with a lot of client activity, APIs are great places to find JSON
@SyedImran-qf1eh Жыл бұрын
Hello Mam, I have seen your videos but I don't have laptop how can I find through mobile phone. Can you please help me.
@gopalethical 3 жыл бұрын
Nice voice
超人夫妇
Рет қаралды 14 МЛН
超人夫妇
Рет қаралды 19 МЛН
Loi Liang Yang
Рет қаралды 34 М.
InsiderPhD
Рет қаралды 19 М.
David Bombal
Рет қаралды 140 М.