Scanning All Vulnerability Disclosure Programs For Automated API Hacking

00:00

a few weeks ago during one of my live

00:01

streams one of my viewers I think it was

00:03

yaser introduced me to this tool called

00:05

swagger jacker by Bishop Fox and it has

00:09

been a game changer the reason why I

00:12

love this tool so much is because it

00:13

allows you to do multiple things first

00:15

and foremost it allows you to just test

00:18

and see if any of these apis are

00:20

accessible and if you are looking for

00:22

unauthenticated access this tool is an

00:25

absolute Game Changer the second thing

00:27

that I love about it is the fact that it

00:29

allows me to generate wordless so if I

00:31

give it a bunch of different bu bount

00:33

programs where the Swagger file has been

00:35

leaked it grabs all the Swagger specs

00:37

and it spits out a word list depending

00:40

on the end points that are referenced

00:42

within that file I thought about what is

00:43

the better way to make a piece of

00:45

content around this then scanning every

00:48

V disclosure program minus some of the

00:50

ones that I had to remove for legal

00:52

purposes and seeing how many instances

00:55

of swagger I can find and then feeding

00:57

it to swagger jacker and seeing what it

01:00

does if you are interested in my data

01:02

set there's about 800 domains that I've

01:04

just collected from the vdps on hacker

01:06

one there's over 100,000 subdomains that

01:09

I'm going to link into GitHub I'll put

01:11

it down in the description and the pin

01:13

comments so if you want to get access to

01:15

them it is free for you you can use them

01:16

for your bug bounty hunting and research

01:18

or whatever else you want to do but then

01:20

I'm going to also go a step further and

01:22

if the data is clean enough and I see if

01:24

it's worth it I may also share the word

01:27

list with you but before we jump into

01:29

the video I got to make two Qui quick

01:30

announcements number one this is not a

01:31

sponsored video Bishop Fox did not

01:33

sponsor this so if you're Bishop Fox

01:35

wink come and sponsor me for the next

01:37

video and two a lot of you guys have

01:38

been asking for the course update and an

01:41

update was just released and for the

01:44

next 10 people that use the code on the

01:46

screen right here you will get the

01:47

course for $35 and then after that it's

01:50

going to jump up to $40 to $50 so go

01:53

down below click on the link use this

01:54

code right here and get it at a

01:56

discounted rate all right now let's jump

01:58

into the video okay so so let's first

02:00

take a look at our data this is pretty

02:03

much every domain that I scan for again

02:05

this is just almost every bug Bounty

02:07

program that I have access to and then I

02:09

don't want to spend too much time doing

02:10

a lot of reconnaissance and you can see

02:12

I had to clean this up but I did a

02:13

little bit of Recon and this is pretty

02:16

much everything that I have found the

02:18

way I did this is by just dividing my

02:21

entire flow into different batches of

02:23

10,000 domains and then just feeding it

02:25

to nuclei and having it look for

02:27

specific routes that may have a swap .

02:30

Json file so that's just the the

02:32

foundation of how I've done it and if

02:33

you're curious have done it I use a

02:34

private tool called Lima it's not

02:36

available online to use it unfortunately

02:38

but it is something that I use that just

02:40

distributes the workload across a bunch

02:41

of AWS Lambda functions now let's take a

02:44

look at SJ or swagger jacker and again

02:46

this is a project by our friends at

02:49

Bishop Fox not sponsored it's open

02:51

source it's free you can use it super

02:53

easy to download it it is a binary with

02:55

go you can just install it and then you

02:57

can just point to it and it does a

02:59

couple of cool things things the first

03:00

thing that I think is really really cool

03:01

to do with this is just being able to

03:04

give an automate flag to it and then

03:06

giving it the URL of every single

03:08

Swagger that you have so in this case

03:10

what I have done here is I think this is

03:12

the file that I've created you can see

03:14

all of these different ones let me just

03:15

make sure it's a right one it's API docs

03:18

final right here and let me just clean

03:20

it up there we go all these that you see

03:22

on the screen right here is just a Json

03:24

file unfortunately there are some that

03:26

were just swaggered at HTML I took those

03:27

out already but this is a everything

03:30

that has a Json format in it and we can

03:32

just go to one of them just to see what

03:34

it looks like you can see it is just uh

03:37

the entire specs for that API now we can

03:40

just do some really fun stuff like just

03:42

maybe feed this into JS and having use

03:45

uh XRS feed it to SJ or swagger jacker

03:48

and then just giving us uh the automate

03:51

I'll look at the Imports in just a sec

03:52

but we can do automate and then now this

03:55

will look at every single one of these

03:57

end points will put the route where it's

03:59

supposed to go and then it will it's

04:01

going to give us the exact myth that it

04:03

was used and the status of it so this is

04:05

something really really cool because a

04:07

lot of times what I would do especially

04:08

on my streams or even when I'm doing bug

04:10

bounty hunting and looking across the

04:11

entire infrastructure is I would just

04:13

have to do this manually I would find

04:15

some script that maybe grabbed every

04:17

single endpoint with bash and then

04:18

cleaned it up and then maybe did some

04:20

other calls that did it all for me and

04:22

it was just very tedious and with this

04:24

tool with swagger jacker you can do it

04:26

all at once and if you have a list of

04:28

every single AP

04:30

documentation for a Target you can just

04:32

feed it into this and look for the ones

04:33

that come back at the 200 so for example

04:35

this one I know this one isn't a 200

04:37

because uh there is a syntax error but

04:39

if you scroll down there's a bunch of

04:41

them that are coming back and you can

04:42

see the status for each of them and kind

04:44

of take a look at them deeper and figure

04:47

out what you want to do next so that's

04:49

just one use case of it I think what's

04:50

cooler about this is that you can kind

04:52

of look for lead credentials on GitHub

04:56

and then leverage swagger jacker to see

04:58

if it actually allows you to

05:00

authenticate to any apis on this

05:02

company's infrastructure so let me just

05:04

paint you the picture and by just

05:05

showing you what I mean in here what we

05:07

can do here is one is if you look at the

05:10

specs or the help right here it allows

05:12

you to do a help and you can with help

05:15

you can see the headers so you can

05:16

actually set a specific header that says

05:18

hey if you are doing this testing for me

05:21

so if I was to send these again with um

05:25

our targets right here so if I were to

05:26

do this again and do automate

05:31

automate and pass all of these URLs to

05:34

it I can also set a header that says

05:36

authorization and giving the leaked

05:39

credentials here and just looking at if

05:41

it actually does allow us to

05:43

authenticate to any of the apis across

05:46

that entire infrastructure that's one of

05:48

the things that I really found helpful

05:50

or useful with this tool but wait there

05:52

is two more things that I want to show

05:53

you the second thing that kind of also

05:55

goes hand inand with what I just talked

05:56

about is just using the prepare argument

05:58

here so what just going to do is we're

05:59

going to copy this again and instead of

06:01

automate I'm going to write prepare and

06:03

what prepare does is it's going to tell

06:05

you how you can use these different

06:07

calls using the curl command so I'm

06:10

going to actually do a t- a and we call

06:12

this output.txt and hopefully this works

06:16

as you can see right now it is dumping

06:17

every single one of those requests right

06:19

here and it's telling us that it

06:20

requires a get uh for this one

06:23

specifically this is what it looks like

06:25

uh if I want to do authorization I have

06:27

authorization one I think that's what I

06:28

gave it on a but what I can do now here

06:31

is I can just do a cat for this and I

06:35

can just grip for curl and this would be

06:37

a beautiful thing to have for us because

06:39

one now we know exactly what the apis

06:41

look like I can actually maybe build

06:43

some tooling around this if I wanted to

06:44

to take it a step further or I can just

06:46

use this and add the headers manually

06:48

into this one and then observe what

06:50

status it comes with I can also just

06:52

take the URLs and dump him and maybe Fe

06:54

them to nuclei or httpx to get some more

06:57

information so that's another use case

06:59

but there one more thing that I really

07:00

really really enjoyed with swagger

07:03

jacker and that is just getting a list

07:06

of all the end points available across

07:08

all these bug bounding programs dumping

07:10

into a file and just creating my own

07:13

word list which if you're going after a

07:15

large infrastructure maybe you're going

07:17

after a large company that has tons of

07:19

apis having something like this is very

07:22

helpful because sometimes you don't know

07:23

what's hosted on these apis and maybe

07:25

the naming conventions or some of the

07:27

applications are the same so what you

07:28

can do here is is you can do the same

07:30

thing we can cat for the same exact file

07:32

we're going to go after all these

07:34

different ones it's getting cleaned up

07:35

but then we can type in in points here I

07:38

think that's how you do it let's make

07:40

sure we got this right I'm going to call

07:42

this uh words.txt and it's going to

07:45

start dumping every single one of these

07:47

into uh a file for us outside the ones

07:50

that are erroring out right here we have

07:51

to clean this up but it's really cool to

07:53

have this especially if you are just

07:55

looking at one single Target obviously

07:58

uh this data is a little bit wonky and a

08:00

little bit not it's not the cleanest

08:02

data that I've had because I'm just

08:03

doing this for the sake of content and

08:05

I'm masing every bug Bounty program but

08:07

on a single Target having something like

08:09

this allows you to create word lists

08:11

that are very very specific to your

08:13

target so keep that in mind the next

08:15

time you find a very cool you can see on

08:17

my screen I have a ton of different apis

08:18

rest apis these are very very uh good

08:21

data to have but just keep that in mind

08:23

the next time you find a Swagger file

08:25

that by itself is not a vulnerability

08:27

but it is a gold mine uh information as

08:30

a bonus content for all of you Recon

08:32

lovers don't worry if you don't know how

08:34

to look for API specs and maybe you just

08:37

don't have a good word list don't worry

08:38

it actually also allows you to Brute

08:40

Force for it so right here on the screen

08:41

you can see I'm using SJ I'm saying hey

08:43

brute force and I want to you at this

08:46

URL right here and if I feed it that I

08:48

think it makes about yeah it says 2,000

08:50

requests right here they have 2,000

08:51

different paths that they look for and

08:53

then once it hits one that has your data

08:56

it's going to actually spit it out and

08:57

then you can actually use this to do

08:59

what we have talked about throughout

09:01

this entire video so it does have

09:03

everything built in I think it's one of

09:04

the cooler automation meets API hacking

09:07

especially if you're a bug Bounty Hunter

09:09

this should be definitely in your tool

09:11

bit so if you don't use it already go

09:13

ahead and download it from the geub link

09:15

that I will put down in the description

09:17

as well all right that's it I hope you

09:19

like this video it's been a while since

09:20

I've made some uh Recon automated

09:22

hacking video let me know in the

09:24

comments do you like stuff like this do

09:25

you want to see more videos of me using

09:27

tools like this and if you do maybe you

09:29

have a tool suggestion that you want to

09:30

see in the next video Drop It in a

09:31

comment and I will hopefully make a

09:33

video on it in the upcoming weeks all

09:35

right that's it I will see you all in

09:36

next week's video peace

09:46

[Music]