Scanning All Vulnerability Disclosure Programs For Automated API Hacking
Summary
TLDRIn this video, the host introduces Swagger Jacker, a tool by Bishop Fox, which revolutionizes API testing by identifying accessible and unauthenticated endpoints. It also generates wordlists from Swagger files, aiding in bug bounty hunting and research. The host shares a dataset of 800 domains and over 100,000 subdomains for public use and demonstrates how to use Swagger Jacker for API endpoint analysis, authentication testing, and creating targeted wordlists. The video also covers brute-forcing API specs and encourages viewers to explore the tool for bug bounty and security research.
Takeaways
- π§ The tool 'Swagger Jacker' by Bishop Fox was introduced and is praised for its utility in API testing and access.
- π It's particularly useful for identifying unauthenticated API access, making it a 'game changer' for security testing.
- π Swagger Jacker can generate wordlists from Swagger files, aiding in targeted reconnaissance and vulnerability discovery.
- π The speaker scanned various bug bounty programs to find Swagger files, demonstrating a methodical approach to gathering data.
- πΎ The dataset includes approximately 800 domains and over 100,000 subdomains, which are available for public use on GitHub.
- π The tool 'Lima' is mentioned for distributing workload across AWS Lambda functions, though it's not publicly available.
- π Swagger Jacker automates the process of checking API endpoints, reducing the manual effort typically required in security assessments.
- π It can be used to test leaked credentials against APIs to determine if they provide access to the company's infrastructure.
- π The 'prepare' argument in Swagger Jacker outputs curl commands for API calls, streamlining the process of manual testing.
- π The tool can create a wordlist of endpoints, which is beneficial for targeted attacks on large infrastructures with numerous APIs.
- π Swagger Jacker includes a brute force feature to discover API specifications, expanding its utility beyond just using known Swagger files.
Q & A
What is Swagger Jacker, and who developed it?
-Swagger Jacker is a tool developed by Bishop Fox that helps users test APIs for unauthenticated access and generate wordlists based on Swagger files. It's open-source and easy to install.
What are the primary features of Swagger Jacker?
-Swagger Jacker allows users to test API endpoints for unauthenticated access, generate wordlists from leaked Swagger files, and automate the process of inspecting APIs across various domains.
How does Swagger Jacker help in bug bounty hunting?
-Swagger Jacker helps bug bounty hunters by automating the process of testing and collecting data from various APIs. It can also generate endpoint lists and authenticate requests using leaked credentials, making it a valuable tool for API hacking.
What is the significance of leaked Swagger specs for a bug bounty hunter?
-Leaked Swagger specs can reveal the endpoints of APIs, which can then be tested for vulnerabilities such as unauthorized access. This makes the specs a potential 'gold mine' for bug bounty hunters seeking to exploit unprotected APIs.
How does the tool handle large-scale API testing?
-The user divides the domains into batches of 10,000 and feeds them into a private tool that distributes the workload across AWS Lambda functions. Swagger Jacker is then used to automate the inspection of these endpoints.
What customization options does Swagger Jacker offer?
-Swagger Jacker allows users to add specific headers (like authorization headers with leaked credentials) to test if they can authenticate to an API. It also supports a 'prepare' mode, which outputs curl commands for each endpoint, making it easier to build tooling around the data.
What is the process of generating wordlists using Swagger Jacker?
-Users can create wordlists by dumping all the endpoints from various Swagger files into a file. These wordlists are helpful for bug bounty hunters targeting large infrastructures with many APIs, as they can identify common or potentially vulnerable API endpoints.
What is the advantage of using Swagger Jacker over manual methods?
-Swagger Jacker automates processes that would otherwise be done manually, such as gathering API endpoints and testing them for access. It saves time by performing these tasks in bulk and helps reduce human error in API testing.
Can Swagger Jacker perform brute force attacks on APIs?
-Yes, Swagger Jacker has a brute force feature that can send thousands of requests to test various paths on an API. This helps in identifying any available API documentation or endpoints that can be accessed without proper authorization.
How can users benefit from the data collected with Swagger Jacker?
-Users can use the collected data, such as API endpoint lists or wordlists, to improve their reconnaissance during bug bounty hunting. The data can also be fed into other tools like Nuclei or httpx for further analysis.
Outlines
π οΈ Swagger Jacker: A Game Changer for API Testing
The speaker introduces Swagger Jacker, a tool by Bishop Fox, which has significantly improved their API testing workflow. This tool is particularly useful for checking API accessibility and identifying unauthenticated access points, making it a 'game changer' for security researchers. It also generates wordlists based on Swagger files, which can be used for targeted testing. The speaker shares their dataset of about 800 domains and over 100,000 subdomains collected from various disclosure programs on HackerOne, intending to support the community's bug bounty hunting and research efforts. The video also mentions a course update with a discount code for the first 10 users.
π Leveraging Swagger Jacker for API Reconnaissance
The speaker demonstrates how Swagger Jacker can be used to automate the testing of APIs by accepting a list of Swagger file URLs and checking each endpoint's status. They also show how to use the tool to test leaked credentials against an infrastructure's APIs to verify authentication capabilities. Additionally, Swagger Jacker can prepare cURL commands for each API endpoint, aiding in further manual or automated testing. The tool can also generate a comprehensive wordlist from multiple Swagger files, which is beneficial for targeted reconnaissance against large infrastructures. The speaker concludes by encouraging viewers to use Swagger Jacker for its automation capabilities in API hacking and reconnaissance, especially for bug bounty hunters.
Mindmap
Keywords
π‘Swagger Jacker
π‘API
π‘Unauthenticated Access
π‘Wordlist
π‘Bug Bounty
π‘GitHub
π‘AWS Lambda
π‘Nuclei
π‘Automation
π‘Reconnaissance
π‘Endpoints
Highlights
Introduction to Swagger Jacker by Bishop Fox and its impact on API testing.
Swagger Jacker allows unauthenticated access testing, making it a game-changer for bug bounty hunters.
Generates word lists from leaked Swagger specs to identify API endpoints, streamlining the process for API reconnaissance.
The speaker scanned around 800 domains and 100,000 subdomains from VDPs on HackerOne for testing.
The tool can automate the discovery of vulnerable API routes, making it highly efficient for bug bounty hunters.
Swagger Jacker uses a combination of APIs, endpoints, and their corresponding HTTP methods to identify exploitable routes.
The speaker cleans up Swagger files and feeds them to Swagger Jacker for scanning and analyzing API endpoints.
The tool supports using leaked credentials to test API authentication mechanisms, adding a layer of versatility.
Swagger Jackerβs 'prepare' command allows users to view curl commands for each API request, making it easy to build custom tooling.
The tool enables the creation of highly specific word lists based on targeted API infrastructure, which is valuable for large-scale companies.
The brute force feature helps identify hidden or undocumented API routes by testing 2,000 possible paths.
API Swagger specs are not vulnerabilities themselves but contain valuable information for deeper API exploration.
Swagger Jacker integrates with AWS Lambda to distribute workloads for large-scale testing, enhancing scalability.
Open-source and free to use, Swagger Jacker is simple to install and can handle multiple targets simultaneously.
In the closing, the speaker highlights the value of automation in API reconnaissance and invites suggestions for future tools and videos.
Transcripts
a few weeks ago during one of my live
streams one of my viewers I think it was
yaser introduced me to this tool called
swagger jacker by Bishop Fox and it has
been a game changer the reason why I
love this tool so much is because it
allows you to do multiple things first
and foremost it allows you to just test
and see if any of these apis are
accessible and if you are looking for
unauthenticated access this tool is an
absolute Game Changer the second thing
that I love about it is the fact that it
allows me to generate wordless so if I
give it a bunch of different bu bount
programs where the Swagger file has been
leaked it grabs all the Swagger specs
and it spits out a word list depending
on the end points that are referenced
within that file I thought about what is
the better way to make a piece of
content around this then scanning every
V disclosure program minus some of the
ones that I had to remove for legal
purposes and seeing how many instances
of swagger I can find and then feeding
it to swagger jacker and seeing what it
does if you are interested in my data
set there's about 800 domains that I've
just collected from the vdps on hacker
one there's over 100,000 subdomains that
I'm going to link into GitHub I'll put
it down in the description and the pin
comments so if you want to get access to
them it is free for you you can use them
for your bug bounty hunting and research
or whatever else you want to do but then
I'm going to also go a step further and
if the data is clean enough and I see if
it's worth it I may also share the word
list with you but before we jump into
the video I got to make two Qui quick
announcements number one this is not a
sponsored video Bishop Fox did not
sponsor this so if you're Bishop Fox
wink come and sponsor me for the next
video and two a lot of you guys have
been asking for the course update and an
update was just released and for the
next 10 people that use the code on the
screen right here you will get the
course for $35 and then after that it's
going to jump up to $40 to $50 so go
down below click on the link use this
code right here and get it at a
discounted rate all right now let's jump
into the video okay so so let's first
take a look at our data this is pretty
much every domain that I scan for again
this is just almost every bug Bounty
program that I have access to and then I
don't want to spend too much time doing
a lot of reconnaissance and you can see
I had to clean this up but I did a
little bit of Recon and this is pretty
much everything that I have found the
way I did this is by just dividing my
entire flow into different batches of
10,000 domains and then just feeding it
to nuclei and having it look for
specific routes that may have a swap .
Json file so that's just the the
foundation of how I've done it and if
you're curious have done it I use a
private tool called Lima it's not
available online to use it unfortunately
but it is something that I use that just
distributes the workload across a bunch
of AWS Lambda functions now let's take a
look at SJ or swagger jacker and again
this is a project by our friends at
Bishop Fox not sponsored it's open
source it's free you can use it super
easy to download it it is a binary with
go you can just install it and then you
can just point to it and it does a
couple of cool things things the first
thing that I think is really really cool
to do with this is just being able to
give an automate flag to it and then
giving it the URL of every single
Swagger that you have so in this case
what I have done here is I think this is
the file that I've created you can see
all of these different ones let me just
make sure it's a right one it's API docs
final right here and let me just clean
it up there we go all these that you see
on the screen right here is just a Json
file unfortunately there are some that
were just swaggered at HTML I took those
out already but this is a everything
that has a Json format in it and we can
just go to one of them just to see what
it looks like you can see it is just uh
the entire specs for that API now we can
just do some really fun stuff like just
maybe feed this into JS and having use
uh XRS feed it to SJ or swagger jacker
and then just giving us uh the automate
I'll look at the Imports in just a sec
but we can do automate and then now this
will look at every single one of these
end points will put the route where it's
supposed to go and then it will it's
going to give us the exact myth that it
was used and the status of it so this is
something really really cool because a
lot of times what I would do especially
on my streams or even when I'm doing bug
bounty hunting and looking across the
entire infrastructure is I would just
have to do this manually I would find
some script that maybe grabbed every
single endpoint with bash and then
cleaned it up and then maybe did some
other calls that did it all for me and
it was just very tedious and with this
tool with swagger jacker you can do it
all at once and if you have a list of
every single AP
documentation for a Target you can just
feed it into this and look for the ones
that come back at the 200 so for example
this one I know this one isn't a 200
because uh there is a syntax error but
if you scroll down there's a bunch of
them that are coming back and you can
see the status for each of them and kind
of take a look at them deeper and figure
out what you want to do next so that's
just one use case of it I think what's
cooler about this is that you can kind
of look for lead credentials on GitHub
and then leverage swagger jacker to see
if it actually allows you to
authenticate to any apis on this
company's infrastructure so let me just
paint you the picture and by just
showing you what I mean in here what we
can do here is one is if you look at the
specs or the help right here it allows
you to do a help and you can with help
you can see the headers so you can
actually set a specific header that says
hey if you are doing this testing for me
so if I was to send these again with um
our targets right here so if I were to
do this again and do automate
automate and pass all of these URLs to
it I can also set a header that says
authorization and giving the leaked
credentials here and just looking at if
it actually does allow us to
authenticate to any of the apis across
that entire infrastructure that's one of
the things that I really found helpful
or useful with this tool but wait there
is two more things that I want to show
you the second thing that kind of also
goes hand inand with what I just talked
about is just using the prepare argument
here so what just going to do is we're
going to copy this again and instead of
automate I'm going to write prepare and
what prepare does is it's going to tell
you how you can use these different
calls using the curl command so I'm
going to actually do a t- a and we call
this output.txt and hopefully this works
as you can see right now it is dumping
every single one of those requests right
here and it's telling us that it
requires a get uh for this one
specifically this is what it looks like
uh if I want to do authorization I have
authorization one I think that's what I
gave it on a but what I can do now here
is I can just do a cat for this and I
can just grip for curl and this would be
a beautiful thing to have for us because
one now we know exactly what the apis
look like I can actually maybe build
some tooling around this if I wanted to
to take it a step further or I can just
use this and add the headers manually
into this one and then observe what
status it comes with I can also just
take the URLs and dump him and maybe Fe
them to nuclei or httpx to get some more
information so that's another use case
but there one more thing that I really
really really enjoyed with swagger
jacker and that is just getting a list
of all the end points available across
all these bug bounding programs dumping
into a file and just creating my own
word list which if you're going after a
large infrastructure maybe you're going
after a large company that has tons of
apis having something like this is very
helpful because sometimes you don't know
what's hosted on these apis and maybe
the naming conventions or some of the
applications are the same so what you
can do here is is you can do the same
thing we can cat for the same exact file
we're going to go after all these
different ones it's getting cleaned up
but then we can type in in points here I
think that's how you do it let's make
sure we got this right I'm going to call
this uh words.txt and it's going to
start dumping every single one of these
into uh a file for us outside the ones
that are erroring out right here we have
to clean this up but it's really cool to
have this especially if you are just
looking at one single Target obviously
uh this data is a little bit wonky and a
little bit not it's not the cleanest
data that I've had because I'm just
doing this for the sake of content and
I'm masing every bug Bounty program but
on a single Target having something like
this allows you to create word lists
that are very very specific to your
target so keep that in mind the next
time you find a very cool you can see on
my screen I have a ton of different apis
rest apis these are very very uh good
data to have but just keep that in mind
the next time you find a Swagger file
that by itself is not a vulnerability
but it is a gold mine uh information as
a bonus content for all of you Recon
lovers don't worry if you don't know how
to look for API specs and maybe you just
don't have a good word list don't worry
it actually also allows you to Brute
Force for it so right here on the screen
you can see I'm using SJ I'm saying hey
brute force and I want to you at this
URL right here and if I feed it that I
think it makes about yeah it says 2,000
requests right here they have 2,000
different paths that they look for and
then once it hits one that has your data
it's going to actually spit it out and
then you can actually use this to do
what we have talked about throughout
this entire video so it does have
everything built in I think it's one of
the cooler automation meets API hacking
especially if you're a bug Bounty Hunter
this should be definitely in your tool
bit so if you don't use it already go
ahead and download it from the geub link
that I will put down in the description
as well all right that's it I hope you
like this video it's been a while since
I've made some uh Recon automated
hacking video let me know in the
comments do you like stuff like this do
you want to see more videos of me using
tools like this and if you do maybe you
have a tool suggestion that you want to
see in the next video Drop It in a
comment and I will hopefully make a
video on it in the upcoming weeks all
right that's it I will see you all in
next week's video peace
[Music]
Browse More Related Video
Easy IDOR hunting with Autorize? (GIVEAWAY)
Building and Deploying a Basic REST API with Azure App Service, Azure Portal, and Visual Studio
My Favorite API Hacking Vulnerabilities & Tips
Adding JWT Authentication & Authorization in ASP.NET Core
2024 Guide: Hacking APIs
Epic Wordlists for Bug Bounty content discovery and API bugs!
5.0 / 5 (0 votes)