2024 Guide: Hacking APIs
Summary
TLDRThis five-week program concludes with an in-depth tutorial on API hacking, covering two main approaches: analyzing applications with accessible APIs and those with limited UIs. The video demonstrates techniques such as intercepting HTTP requests, examining JavaScript files, and brute-forcing to uncover API routes. It also highlights the importance of setting objectives, understanding API functionality, and leveraging API tokens to access additional endpoints. The presenter uses practical examples and encourages hands-on learning through hacking Hub, aiming to improve viewers' API hacking skills.
Takeaways
- 🎓 The script is the conclusion of a five-week program aimed at educating individuals on becoming better hackers, particularly in the area of API hacking.
- 🔍 Two main approaches to API hacking are discussed: one with access to the application and the ability to capture HTTP requests, and the other based on UI, which may involve broken or partial interfaces.
- 🛠 The 'half approach' involves using JavaScript files to uncover API routes, which can be a stepping stone to discovering additional APIs.
- 🔑 The importance of understanding API naming conventions and how to interact with them through tools like proxies is highlighted.
- 📝 The speaker demonstrates creating an account on a website to intercept and analyze API calls, emphasizing the process of observing and inserting payloads.
- 🎯 Setting objectives, such as making another user's post public, is a strategic way to approach hacking and uncover vulnerabilities.
- 🤖 The use of AI models like chat GPT to generate valid HTTP requests from JavaScript functions is suggested as a timesaving technique.
- 🔒 The significance of API tokens in authentication and the potential for unauthorized access if they can be reused across different applications is discussed.
- 🔄 The process of API versioning and the potential risks of newer versions, such as V2, having different and possibly less secure endpoints is covered.
- 📚 Finding and leveraging API documentation can provide a wealth of information about how an application's API works, which is crucial for hacking.
- 📈 The value of using tools for recursive and brute force methods to discover additional endpoints and paths within an API is emphasized.
Q & A
What is the main focus of the video script?
-The main focus of the video script is to discuss different approaches to API hacking and to provide insights on how to approach an API, especially when dealing with an unfamiliar application.
What are the two primary approaches to API hacking mentioned in the script?
-The two primary approaches to API hacking mentioned are: 1) Having access to an application that connects to and interacts with an API, allowing one to capture and analyze HTTP requests; 2) Using JavaScript files to uncover more API routes or brute forcing for files and parameters.
How can one find additional API routes based on the UI?
-One can find additional API routes based on the UI by examining the JavaScript files, breaking them apart to uncover API calls and routes, which might reveal additional APIs that are available.
What is the purpose of using API documentation in API hacking?
-API documentation can be used to understand the functionality of an API, including its endpoints, parameters, and expected responses, which can help in identifying potential vulnerabilities or misconfigurations.
What is the significance of API token in the context of the video script?
-The API token is significant as it is used for authentication with the API. It can also be tested for reuse across different applications or environments to identify vulnerabilities related to unauthorized access.
How can one test the functionality of an API without knowing the exact request format?
-One can use tools like curl, Burp Suite, or even AI models like Chat GPT to create valid HTTP requests by providing sample functions or endpoints extracted from the application's JavaScript files.
What is the importance of observing the response format from an API?
-Observing the response format is important because it can reveal whether the API is returning data in a format that can be manipulated, such as HTML, which could lead to vulnerabilities like HTML injection.
What is the 'blackbox' approach mentioned in the script and why is it useful?
-The 'blackbox' approach involves testing an API without prior knowledge of its structure or functionality. It is useful for uncovering hidden endpoints and understanding how the API behaves under different conditions, which can lead to the discovery of vulnerabilities.
Why is it recommended to look for API documentation even though it is not a vulnerability by itself?
-API documentation is not a vulnerability by itself, but it can provide valuable information about the API's structure and functionality, which can be leveraged to better understand the application and identify potential security issues.
What is the significance of error codes like 405, 403, and 401 in the context of API fuzzing?
-Error codes like 405 (Method Not Allowed), 403 (Forbidden), and 401 (Unauthorized) can indicate the presence of hidden or restricted endpoints. Including these codes in fuzzing can help uncover endpoints that require different methods or authentication.
How can one use the information from the video script to improve their API hacking skills?
-By following the approaches and techniques discussed in the script, such as analyzing applications, using API documentation, testing API tokens, and conducting blackbox testing, one can improve their understanding of APIs and enhance their ability to identify and exploit vulnerabilities.
Outlines
😀 Final Week of the Five-Week Program
The script begins with a congratulatory message for reaching the final week of a five-week program focused on improving hacking skills. The speaker intends to discuss various approaches to API hacking, acknowledging the complexity of the subject and the difficulty of condensing it into a single video. The main goal is to enhance the viewer's understanding of API interaction, especially with unfamiliar applications. Two primary methods of API hacking are introduced: one involving direct access to an application that connects to an API, and the other a 'half approach' based on UI interaction that may lead to discovering additional API routes.
🔍 Exploring API Hacking Techniques
This paragraph delves deeper into API hacking methods, emphasizing the importance of understanding the functionality of a website to identify potential vulnerabilities. It discusses using JavaScript files and brute-forcing to uncover API routes and parameters, as well as seeking documentation through tools like Swagger UI or GitHub. The speaker also introduces the idea of setting objectives when hacking, such as manipulating the visibility of a post, and demonstrates how to use proxy tools to intercept and analyze API calls, providing a practical example of account creation and profile page loading.
📚 Leveraging API Documentation and Token Reuse
The speaker continues with strategies for finding and utilizing API documentation, which can be a treasure trove of information for understanding an API's functionality. The paragraph highlights the potential for reusing API tokens across different applications within a company's ecosystem, which can sometimes lead to unauthorized access to additional APIs or endpoints. The importance of testing these tokens and exploring various domains is emphasized, along with practical steps for doing so, including changing domain names and using tools like Fuzzing to discover new endpoints.
🔑 API Token Authentication and Cross-Application Access
This section focuses on the authentication process within APIs and the potential for using the same token to access different applications or environments, such as development instances. The speaker shares a personal anecdote about creating a CTF and demonstrates how to swap domain names to test cross-application access using the same API token. The discovery of additional content and the exploration of different API versions (V1 and V2) are discussed, along with the use of Fuzzing to uncover hidden endpoints and the examination of API documentation for V2 to find new functionalities.
💡 Blackbox API Hacking and Content-Type Manipulation
The final paragraph introduces a blackbox approach to API hacking, where the speaker shares insights on how to handle APIs without prior knowledge of their structure. The process involves changing host names, using the same API token, and employing Fuzzing to identify endpoints that return error codes like 405, 403, and 401. The importance of observing the server's response, particularly the content type, is highlighted, with examples of how to manipulate the request method and body to interact with the API effectively. The speaker also discusses the implications of different content types, such as JSON versus HTML, and the potential for HTML injection attacks.
👋 Wrapping Up the Five-Week Series
In the conclusion, the speaker expresses gratitude for the viewers' engagement over the past five weeks and encourages them to continue practicing API hacking by using the provided resources on hacking Hub. The aim is to help viewers become more adept at understanding APIs, uncovering endpoints, creating valid requests, and identifying vulnerabilities. The session ends on a positive note, with the speaker looking forward to future interactions and wishing the viewers well.
Mindmap
Keywords
💡API Hacking
💡HTTP Request
💡UI (User Interface)
💡JavaScript
💡API Documentation
💡Proxy Tool
💡Payload
💡Vulnerability
💡Brute Forcing
💡Fuzzing
💡Content-Type
💡HTML Injection
Highlights
Introduction to the final week of a five-week program focusing on API hacking.
Congratulating participants for making it through the program and hoping it has helped them become better hackers.
Emphasizing the importance of understanding how to approach an API, especially for unfamiliar applications.
Describing two main approaches to API hacking: one with access to the application and another based on the UI.
Explaining the half-approach of using JavaScript files to uncover API routes.
Mentioning the use of brute forcing for files and parameters as part of the API hacking process.
Highlighting the importance of looking for API documentation, such as Swagger UI, for more information.
Demonstrating how to use hacking Hub and the 5we program to practice API hacking.
Discussing the process of creating an account to intercept API calls for analysis.
Showing how to examine API naming conventions and endpoints by inspecting app.js.
Exploring the idea of setting objectives when hacking, such as making another user's post public.
Discussing the process of editing API requests to understand and exploit their functionality.
Exploring the use of JavaScript files to uncover additional API routes and endpoints.
Describing how to test API tokens for access to other applications or APIs within the same domain.
Using API tokens to access different versions of an API, such as V1 and V2, to find new endpoints.
The significance of finding API documentation as a gold mine for understanding an application's functionality.
Using a blackbox approach to API hacking by assuming the validity of an API token on different domains.
The importance of observing the server's response, especially the content type, for potential HTML injection vulnerabilities.
Encouraging practice on hacking Hub to improve API hacking skills and understanding of creating valid API requests.
Closing remarks thanking participants for their engagement over the past five weeks and looking forward to future interactions.
Transcripts
this is the fifth and final week of the
five week program and if you've made it
this far congratulations and I really
hope the last 5 weeks have helped you or
push you towards becoming a better
hacker and hopefully you are one of the
select lucky people that had the ability
to find a vulnerability within the last
5 weeks in this video I'm going to talk
about the different approaches to API
hacking and I know is really hard to try
and put everything about AP hacking in
one video so bear with me I'm going to
try and un p a lot and hopefully by the
end of this video you get a better
understanding of how to approach an API
especially when it comes down to an
application that you have never worked
with when it comes down to looking at
apis there typically I want to say two
maybe two and a half different
approaches the half approach I'll
explain it just a bit but there are two
different approaches one is your typical
approach of having access to some sort
of an application this could be whether
the main application actually connects
to an API and interacts with it where
you can actually capture the HTP request
and look at it or it could be that you
have maybe a half UI or a broken UI that
loads a wide screen or maybe shows up a
little bit of information but you don't
get to have access to the full
application itself so that's like the
one and a half approach to API hacking
based on the UI then you can kind of
like go through the Javascript file and
break it apart and maybe get some of
those calls and base on those API routes
maybe you can uncover the additional APS
that are available the second approach
is very similar to using JavaScript
files to uncover more API routes and
it's just by brute forcing for files and
parameters and but you can also go after
looking for documentation whether it's
looking on GitHub or actually going on
that API set or your Target and looking
for API documentation through swager UI
or just any of these open API
documentation so in this video what
we're going to do is we're going to go
on to hacking Hub and launch our Hub
again you can always go into the 5we
program Hub on hacking Hub click on API
hack and follow along or if you just
want to watch me do my magic you're more
than welcome to do that and then you can
later on go and take a look at that Hub
yourself as I mentioned earlier you're
going to have times where you have the
actual application presented to you so
in this case I am looking at a website
and it's giving us everything we need we
can click on get started and maybe
create an account but sometimes you're
going to also see an application where
then it's not going to show you the
whole app it's going to be broken maybe
it just shows you an index file with
nothing being visible and you can right
click and look at the JavaScript I'll
show you that in just a SEC but here we
can actually see the application so I'm
going to just create an account really
quickly the hom SEC
test so now we can quickly fill this out
and sign up for an account and hit
register and now that we have an account
what I want to do is I want to make sure
we are intercepting everything for our
proxy tool right here and I'm going to
quickly just go to intercept and start
queuing because I want to kind of look
at what happens once I load the profile
page for example what are the different
API calls that that happen so in this
case what I can see is that app that the
domain that we have is making a request
to profile which is probably just a
static page but eventually it's going to
hit app.js we'll go look at that in just
a bit but now we can see that the API
naming convention is app- API domain
name and it's connecting to an API
version one it's heading me we're just
going to pass that forward maybe we can
actually use a respones to also see what
the response looks like so it's going to
come back we're going to go to response
Tab and we can see that the response is
just giving us our username our first
name all last name and date of birth so
we kind of can see what are the
different settings that it's allowing
what are the different methods that's
allowed for that particular endpoint but
we're just going to continue and drop
all this and see kind of what everything
else looks like so now we can kind of
take a look at creating post this
approach is what I do usually when I'm
given a application to hack on a lot of
times people just start looking at these
applications and they start filling it
out with a lot of different payloads but
what my Approach is when something has
an API behind it is just browsing the
website looking at how does it actually
create these different content while I
also insert my payload so right now I'm
going to create this post actually we're
not intercepting so we're going to make
another one we're going to oops let's go
back we're going to go back and edit
this now and see what it looks like so
if we edit what is the request look like
it'ss like it's sending a put request to
post that's the ID forour post and it
has a title and content but I want to
also look at what the response looks
like so I'm going to forward that come
here and see what the response is here I
can see public is is false and there's a
share URL so here is where objectives
become something in mind instead of
looking for vulnerabilities I start to
set myself objectives if I wanted to
hack this application and I see that
there is a public uh false or true for a
specific post how can I make another
user's post public while creating a
share URL for it so what we're going to
do here is we're going to make ours
public we're going to cue make it public
and we're going to take a look at the
response so the first and options we
don't care we're just going to send that
out then there's the share which is
public is true it's making a request to
the share endpoint on that specific post
and it's going to just flip that public
to true and right off the bat if we look
at the response we can kind of tell that
it's going to give us the share URL
which is probably how you can access
this specific post so in other ways what
I want to do here is how do I create a
post for another user and make it public
if that becomes a really good V ability
to look at so here's where you're going
to need to make two accounts test the
same functionality and see if you can
idore that share ID leak the URL for the
share post and then see if you can
access it so that's kind of the
objective that it comes with when you're
look at an API I see that this
functionality exists how do I abuse it
hacking apis isn't always about looking
for ssrf xss and just this basic Ido
vulnerabilities this is what people mean
when they say you want to understand the
functionality of a website understand
what it's supposed to do and what is it
not supposed to do and make that exactly
work so if it's not supposed to leak
another user's post for example you want
to exactly set that your objective to be
able to leak and other users for example
post in this case so the the other
approach is you actually have access to
look at the source of this so a lot of
times what you would see is you go to a
website maybe you you maybe you hit the
root folder and it brings you a blank
page and you don't see anything else but
if you click on the source of the page
and you navigate down below you can see
JavaScript out sometime it's app.js it
could be things like main with a has. JS
and when you click on it it is going to
bring you a very much uglier version of
what we have in front of us and
sometimes you can use things like JS
link finder you can use other
applications or BB Suite plugins to kind
of extract data from it one of the
things that I like to do usually is look
for keywords like get maybe keywords
like post put and see what it comes up
with so we can actually see if we can
come up with anything in here so we can
look for something like put and see what
comes up with it and we can put it in
quotes you can see right here it shows
API V1 meet takes a put request and you
can actually send this entire request to
it and this is how the request works if
you're not sure how to read JavaScript I
highly recommend getting familiar enough
at least to a point where you can read
this JavaScript code and go okay this is
the endo and this is what it requires
for me to do in order to have a valid
request but you also have the option to
just go into uh a chat GPT or an AI
model give it your entire request so in
this case I've copied one of the
functions in there and I'm just telling
it hey provide a valid HTP request for
this function you don't have to do
something fancy like this one you can
honestly just go into chat GPT and write
that out and it's going to come back and
say hey this is what you sent to API V1
me and this is the request body that
it's expecting and it's giving you a
sample version of it with email first
name last name and date of birth so
that's just an example of looking at it
the second thing that you want to take a
look at is also how do we authenticate
to this application when we reloaded
this page it does send a request to an
API but also it authenticates us with
this API token so what I will do usually
is send this request to my
repeater and you can actually test and
see if you can access some of this
information without having your API
token so if it actually loads this in
this case it didn't do it but sometimes
if that works without the API token you
also have found a vulnerability when
you're authorizing yourself to retrieve
data without being authenticated so this
is kind of like a having onof access to
an endpoint that leaks maybe pii or post
information or whatever it is but the
point of the API token is to also see if
you can find other apis within this
company's domain and access them with
that API token sometimes they make this
valid and it's being reused within other
applications where you can actually sign
into that other app or the other API
whether it's a Dev environment or some
other applications API because they you
reuse and assign the same token format
so in this case what we're going to do
is I know that since I've helped create
this CTF there is actually a second
domain I'm going to pull that up really
quickly so in this case we're going to
go to our second application and right
here we can see that if I hit this
domain it's going to come back and say
API server so this kind of looks like it
is a Dev instance of the last API and
what we want to do is want to try and
see if we can actually use this so what
I'm going to do here is I'm going to
actually go back to kaido and I am going
to just Swap this name right here to API
that's what the name of the domain is
right here oops let me go back one time
this is the a name of a domain right
here and we're going to change the host
name as well so we're going to add dashd
here and see if we can actually just hit
this API in point with the same
authentication token and see if it comes
back with anything and you can see right
here the same data is available on the
API Dev site as it is on the regular set
but a lot of times what people don't
expect to do here is look for additional
content so one of my favorite tricks to
do here here is I like to run this
through F so you can actually grab this
right here if you watch last week's
video you should kind of have an
understanding of how this works but I'm
going to just send it to word list my
custom word list maybe all. txt and I'm
going to say hey I want you to hit this
URL and we're going to actually give it
https and what we're going to do here is
we're going to authenticate ourselves so
I'm going to go in here and I'm going to
grab this Heather and say Hey I want to
send this custom Heather and I want to
also fuss for things here and now we're
going to be able to fuss for things and
we can see it's coming back with ap API
V1 that also exists an API V2 which if
we go back to our original post so right
here back to the app API without the dev
if I type in V2 we're going to see if it
exists or not and it looks like it
exists on this
site and we can do the same thing on the
other one so we can go back here API
V2 oops test out one more time it exists
on both what we want to do here is we
want to see if we can find additional
information on API V1 or V2 so I'm going
to just start with uh actually here I'm
going to let it do its thing and I'm
going to add recursion but actually
because I want to save some time on this
video I'm going to go directly to some
of the solution where which is in V2 so
I'm going to send this request to API V2
fuzz and it's going to come back and
find us API docs we already know post
existed but I want to kind of look at
what this API docs looks like a lot of
times finding an API docks is a gold
mine of information about a company's
API so I want to make it clear that
having API documentation on its own is
not a vulnerability however it is
something you can leverage to understand
how an application works in this case
you can see that we have V1 and V2 for
me there's also V1 V2 all these new
functionality all this actually old
functionality works on V1 and
V2 all the way down we can see there's
V2 API docs but this is when it gets
interesting because now we're uncovering
actual endpoints that is only accessible
through through V2 so it says V2 user ID
token and there is also ID reset and
these were things that we didn't see in
the past so it is very important for us
to be able to test them and we're just
going to keep this uh API token right
here and we're going to try one of these
end points and see if it actually works
now it come back and says method not
allowed so we can make make a post
request actually it shows that oh it
shows it right here this is what it
expects is to put post and option so
right here we can see that we're able to
reset a user's token by hitting that API
so the point that I make in this
scenario is that if you find an API if
you find maybe a Dev environment Brute
Force for any leads that you can either
it's recursively going after the
different paths and finding different
paths and endpoints for that API looking
for API documentation look for them and
actually put your API token in the
header and see if it works so that's
approach number two but there's also one
small little approach that I wanted to
cover before we wrap up this video and
that is actually looking at a blackbox
approach so now what we're going to do
is we're going to take a look at another
API we have created API d r and we're
going to do the same thing to our host
right here and again I know this
information because I've done my quote
unquote Recon on this target the Recon
here is that I've created this room
actually but I want to show you how it
works when you have another API under
another website that actually allows you
to use the same API token to access it
so right now we can hit API red maybe
it's Red API one more time red
API again we're getting an API server
this time I highly doubt that we're
going to get API documentation so what
we're going to do now here is we're
going to assume that our API token is
good this is kind of when you find out
and the more you screw around and the
more you find out we're going to send
this we're going to say fuzz for it it's
going to come back right off the bat
it's going to say hey API V1 and V2
exists there are different approaches
here you can Brute Force for both I
actually recommend doing it but for the
sake of this video and to save some time
what I'm going to do here is I'm going
to skip doing a AP I V1 because I do
know that api2 is the one that we're
after here but again if you're watching
this you want to go after api1 I highly
recommend it but we're going to fuzz for
our next one here the cool thing to do
here is actually you can actually do a
get request and see what comes back but
one of the things that I highly
recommend doing here is actually doing a
match and looking for anything that
comes back for 405
403 and 401 we can actually have 200 in
there as well and we actually do 41 52
let's do that one more time just in case
and the reason why we do this is again
we want when we look at hacking on apis
we want to look for objectives we want
to find endpoints that maybe we don't
have access to that we can later find a
way to access them and also if by adding
405 in here you're actually going to
uncover API endpoints that require
something other than a get request so if
you see right here if I didn't have my
45 I wouldn't find my register or
articles endpoint and that would have
been a missed opportunity so you want to
put the 405 and 415 those error codes in
there to make sure it uncovers and finds
you these different endpoints so what
you want to do now here we see that
articles exist you can actually do this
in burb seed or kaido whatever proxy
tools you use I actually like to do it
with curl I'm just going to quickly grab
uh grab my URL
here I'm going to actually add an ik to
this just so I can see their response
and ignore any SSL issues that we have
API V2 articles is the one that we're
going to take a look at it came back and
said 405 I want to kind of show you what
my Approach is when I see an endpoint
that says 405 what do I do what do I try
a lot of times I know people talk about
parameter brute forcing that is an
option you can do but what else you can
do here is we actually send this request
and kind of see and observe what it does
what is this wanting from us it says
first of all the method is not allowed
so we're going to go back and we're
going to add an X and specify what kind
of request you want to send it looks
like if we send an options maybe it
could tell us what it
expects it doesn't so we're going to go
back and maybe do a put request this
time we do Post first and now it says
required variable title this is what I
mean when I say you don't have to over
complicate things so in this example you
don't have to go ahead and do parameter
brute forcing sometimes a lot of these
apis are verbose enough to tell you
what's just missing so now we can
actually send the data for it we're
going to actually do a content type
added to this we're going to do Dash our
content type would be application Json
and the data would be actually sending
our
title let's just make sure we're doing
it right it's title and we want to send
test one two 3 and we're going to close
it out and see what comes back now it
says body cannot be empty so it looks
like it looks for a body here so we're
going to send body and we're going to
send another test one two three
and now it says article one created and
now we can actually go back to the
Articles and we're going to send the
same request we're going to go back to
the most basic form of it we no longer
need X options we're going to send it to
articles one and we can see that our
article was created and sometimes
actually a lot of times if you are going
from one application to another if this
application is not referenced anywhere
else and you kind of see it getting
access to n out of 10 times there is
functionality on there that is
vulnerable but what's really Co about
this one specifically that I want to
point out is if we hit our article V1 it
is really important to look at what does
this API come back and return my data in
and you can see right here it is coming
back as content text HTML which means
that if we actually are able to insert
HTML within this page it's no longer
going to look at this as a text format
so a lot of times when you see in a lot
of our previous tries right here for
example you can see the content type is
Json it's coming back it says text/html
in this case I cannot manipulate what
the server responds with let's look at
another one in the past that we looked
at here is another example we hit reset
but it's coming back and it's saying
application is Json and the content type
is Json which means if I replay this
request in my
browser and look at it on here you can
see that there's no HTML here that we
can manipulate this but also it's not
going to render this as HTML versus this
request right here if I put it in my
browser and I open it right here there's
no HTML currently but I'm going to send
that out with one more example let's do
this one more time hold if I send that
out with one more example right here and
we actually add some HTML into it and we
send it out for Article
2 we can say it's actually rendering our
HTML so this is a case of paying
attention to the small details that
comes back from this web server so if
you notice somewhere that an application
that is supposed to be an API and it's
expecting to return Pon format request
it's returning HTML how can I manipulate
the response whether it's causing an
error with our text that's reflected in
there or actually adding content that's
HTML within it and seeing if you can get
HTML back in the objective of getting
HTML injection which could be later
leverage for an account takeover
whatever else we're going to do within
this API I know there was a lot to
unpack this video but I wanted to kind
of showcase the different approaches
that comes to API and some of the common
mistakes that I've seen being made by a
lot of the hackers when it comes down to
looking at apis so if you're watching
this and you want to get better at API
hacking go to hacking Hub go launch this
exact Hub and kind of play around with
the API learn what an API looks like
what is it like to find and uncover
different endpoints and how to actually
create a valid request for an API
whether it's by using curl or using your
proxy like burp or kaido and and kind of
see if you can get used to creating your
own API request and then later translate
that into looking for vulnerabilities
all right that's it thank you so much
for sticking around for the last 5 weeks
I really hope this past 5 weeks have
been helpful and you had as much fun as
I did creating it for you all right
that's it I will see you all in next
week's video
[Music]
peace
Посмотреть больше похожих видео
Asp.Net Core Web API Client/Server Application | Visual Studio 2019
Scanning All Vulnerability Disclosure Programs For Automated API Hacking
Build Anything With ChatGPT API, Here’s How
OpenAI Assistants Tutorial for Beginners
Create A Python API in 12 Minutes
OpenVenus - A New Way to Use Chub Venus | Character AI Alternative With No Filters
5.0 / 5 (0 votes)