The course is part of this learning path
This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.
Hi, within this lecture, we're going to see how to create a server in order to place the vAPI that we have downoaded inside of it so that we can solve the CTFs and we're going to use a service called DigitalOcean for that. But in fact you don't have to use it. You're not obligated to. I'm going to show you all about it. Don't worry. But for right now, I just downloaded that folder, and it's in the zip file and it's in a zip format right now. So, I'm going to double click on it and just unzip it. So, if you have WinZip, WinRAR, just make sure you unzip it before you see the contents of it. So, let me show you what's inside of that folder. So, as you can see, we can see all the codes, all the files and folders inside of it. Of course if you know the PHP, then you can just take a look at the codes and try to figure it out. But I won't suggest that because we don't have to understand the vulnerabilities by looking at the code. We have to find it in a real website. Okay?
But the point over here is that we have a resources folder in which we have two folders for API2 and API3. Okay? Once the time comes, we need to come back here. And also there is a postman folder over here. Postman is kind of a tool that we're going to be using in this section.
So, I'm going to show you how to use them. But that is the reason why we have downloaded it. Okay? Make sure you download it, Make sure you have the resources folder and also the postman folder as well. So, what we're going to do, we're going to actually use the DigitalOcean service in order to create a server, and just directly copy this codes inside of that server so that we can launch this vAPI inside of that server so that we can reach it later on. And as you can see, there is a manual over here in order to actually create the server. Once we create the server, we can install it using that manual or using that read me. So, DigitalOcean is this website, digitalocean.com. It provides some cloud solutions and the reason why I'm showing you this because the servers are not for free. Right? So, DigitalOcean has given me some link. If you click on that link, it will give you some credits like $25 to $100. But all we need is $5 or $6 in order to create the server and just test it. Of course, if you don't like it, you don't have to do it. Okay? Because DigitalOcean will ask for your credit card, no matter what, even if you have credit.
So, if you don't want to give your credit card number, then don't do it because sometimes it charges you with $1 and it gives back that one dollar eventually. But people get suspicious about it. So, if you don't want to do it, just don't do it. DigitalOcean is a credible platform that provides cloud solutions to very respectable firms, that's why I chose it. And of course, the credit is one of the reasons that I chose it. And it's very easy to use the docker in order to install that vAPI inside of the the DigitalOcean. But again, if you have your own server for some reason, for example, then just use that server. If you don't want to use the DigitalOcean, then don't. Okay? But if you want, I will give you some link and you will click on it in order to sign up and it will give you some free credits and you will be creating that server for free and you will be using it for free. Just make sure you click on that link and sign up, and then it will lead you to the dashboard of the DigitalOcean. So, once I click on that, let me show you where it will lead you. So, it will lead you in a dashboard like this. Okay? You will see the menu on the left hand side, and you will see the details on the main page. So, if you don't see something like this, this is a project. Okay? It created a default project for me. You can create a project by clicking on this 'New Project' button over here. And let me just create a new project so that you can see what's going on.
Inside of this project, all you got to do is just come up with a name. I'm going to say something like vapiTests or vAPIChallenge or CTF anything you want. You can give a description if you want. You can just say just trying out DigitalOcean and it will create your project. No, I don't want to move any resources in this. Okay, just say skip for now and here you go. Here is your project. But in order to create a server inside of a project, you will need to create something called Droplet. Okay? So, find this Droplet and click on it. It will just actually show you a page like this where you will choose the version or the distribution of your server. So, I'm going to go with the Ubuntu or Ubuntu, whatever you may want to call it. But you can go with the Debian or any other thing that you're familiar with. If you're familiar with Kali Linux, then I suggest you go with the Ubuntu or Debian. Okay? Don't go with CentOS or FreeBSD because they're a little bit different. It's always a good idea to go with the same thing with mine. Okay, so I'm going to go with the Ubuntu without even changing the version of it. So, once you choose the Ubuntu, then you can come over here and choose the CPU options. I'm going to go for the cheapest one. Okay? So, right now, it seems to be $6 a month. So, let me just try to change this like from Premium Intel to Regular Intel. Here you go.
I have one for $5 a month, but it really doesn't matter because we're not even going to use it for a month. We already have that credit so we can just delete it later on. And of course, you're going to have to choose a datacenter region. I'm going to go for Amsterdam. It doesn't have a meaning, you can just choose whatever you want from here. Okay? And I'm going to choose a password rather than an SSH key so that it would be very simple for us. Of course, SSH key is much more preferable when it comes to security, but we're going to delete the server like in a couple of days or a couple of hours. Okay? So, choose the password. So, this will be the root password of your server. Just make sure you take a note of it. Okay? So, that you can use it to connect it to your server. So, as you can see it has some requirements. Make sure you follow these requirements and create a root password for you. Again, don't lose that password, it won't get sent to you via email or something like that. Make sure you take a note of that. So, here you go. Let's see. We want only one Droplet, yep, that's right. We don't care about backups right now. We're just going to destroy this droplet when the time comes. So, I'm going to say create Droplet. Here you go. Now it's creating the Droplet for us. And once it is created, once it is initialized, we're going to see the IP address of it.
We can use that IP address in order to connect our server and also in order to host the vAPI inside of the server and reach it. Okay? That's all you got to do in order to create Ubuntu server inside of the DigitalOcean. As I said before, if you don't want to use the DigitalOcean for any reason, then don't do it. Just use another service, another server, anything you want just to accommodate or host the vAPI inside of it. So, here you go, that is my IP address. And as you can see, once I see the IP address, then I can just copy it, okay, use it to connect it. And since I'm using a MacBook right now, I'm not even going to use Kali Linux inside of the section, by the way. I'm just going to go with my own computer and you can do that too. But of course, there might be some challenges for you to connect to the server if you're not using Kali Linux or any Linux or MacBook or macOS. If you're using Windows, there is no SSH key or SSH client for you to just directly connect it. Don't worry about it. I'm just going to show you some other various ways for you to connect. Okay? But if you're using Mac or if you're using Kali Linux or any kind of distribution or Linux, just open your terminal and connect to this IP address. I'm going to show you how to do it. Don't worry about it. And later on once I connected to that server, I'm going to show you how to connect it using Windows as well. So I'm going to open my terminal inside of the Macbook. If you're inside of MacBook, you can hit 'Command' and 'Space' and search for terminal inside of Linux.
I believe you already know how to open the terminal. All you got to do is just run this comment ssh root@ an IP Address. Of course, this IP Address will be different for you. I'm going to say yes to this and here you go. It asks me for my password. So, this is the root password that we have just defined. So, I type it and hit 'Enter' but it doesn't show up on the screen because of the security reasons and I've mistyped it I believe. So, I'm going to try it one more time. And again, if you're using Windows, just bear with me. I'm going to show you how to do that. Here we go. Now, I'm inside of the root of ubuntu right now. If I run 'ifconfig', it says that even ifconfig is not installed in the server. I'm just going to run apt install net-tools. Okay, so that it will be installed in our own server. And here you go.
Right now if I run ifconfig, you will see the eth0 is 22.214.171.124. So, this is my own server. Right now, I'm inside of this terminal but this terminal doesn't control my own computer, it controls the server. As you can see, I'm connected as a root. Great, that's what I was looking for. Okay, so if you're on Windows, if you're on Linux, it's the same thing. But if you're on Windows, how to connect this? So, you can download an ssh client. So, I'm going to show you what I mean. If you search for Windows ssh connection, you will see something called PuTTY. So, this one, P-U-T-T-Y. So, this is an ssh client. This. is a program that you can freely download. And you have to just give the IP, y have to give the password and then you're in. So, let me show you the PuTTY interface if I can find a picture of it. So, as you can see, there are a lot of tutorials over here like as. Start the PuTTY, just give the Host Name. And if you want to change the Port, then change the Port but don't change the Port. The SSH port is 22 and it's okay by default. And then, you're just going to give your password and then you're in. So, let me open the Google one more time and search for PuTTY. I just want to show you the interface of it and here you go. This is the user interface of the party. If you download it, you can give the host name. If you choose the ssh as the connection type, the Port will be 22 by default, don't change it. And then, you're just going to say open or connect and it will ask you for your password and just you give it. You can use this but if you don't want to use this, if you don't want to download it, if you don't want to or maybe, you couldn't download the party for some reason. Then, there is another option for you. You can directly connect to terminal via using the web interface.
If you come over here to that menu, you can see Access console. Once you click on the 'Access console', it will prompt you to open a web dialogue like a web interface for a terminal and it will give you root access one more time. You can just launch this Droplet Console from the web. So, if you're using Windows, I suggest you download the PuTTY because I believe it's a great tool for you to learn, if you're into cyber security. But again, you don't have to do it. You can just use the web interface as well. But you need to find a way to connect to that server because we're going to have to just install the VAPI inside of the server, so that we can actually reach it via that IP Address. And maybe, you're thinking right now, since you're creating the server, why not just share the IP Address with us? Why not just leave it open? Because once we start to pen test the IP Address, pen test the API, it will cause some changes in the server. And once you go to that server, once you do the pen test after somebody does it, it may give you some different results depending on the situation. So, it's better for you to start with a fresh server. That's why I'm just showing you all of this stuff. And also, it's a good idea for you to learn about creating servers like this ubuntu over here and connected and just install some API on it. It's a great skill set, right? So, what we're going to do, we're going to stop here. And within the next lecture, we are going to download the VAPI inside of this server and try to understand how to install it. And we're going to do that using the terminal. So, you better connect to your server right now.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.