1. Home
  2. Training Library
  3. API Pentesting

Excessive Data Exposure

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
3h
Students
4
Description

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.

Transcript

Hi, right now we have completed the challenge two, and within this lecture we're going to go into the challenge three. So, when we look at the API 3  it says Excessive Data Exposure. So, as a hint, it says that we have all been there giving away too much data and they're showing it. And it says that try the android app in the resources folder. Now in the API 3, I believe we are dealing with too much data so, we're going to get too much data in a response but we need to find it. And to make it harder, I believe they have created an android application, so, we're going have to deal with that. So, we only have one Create User post over here which is vapi/api3/user. We're going to give some user name and password name. Okay, so let's do that first in the postman. I'm going to Create User and I'm going to take a look at the Headers, nothing to change over here, I'm going to the Body. So, user name, password and name. Great. So, let's give some. I'm going to give a user name: atil. I'm going to give a password like atil123 and just give your own name, and I'm just going send this, and here you go, we get the user back, atil, and we get an ID back. So, we have this idea over here. So, we don't have anything else I believe. So we get this idea, but we don't have any kind of excessive data over here. So, I believe we're going to have to go and look at that android application as they suggest in the documentation. So, we're going have to go into the Resources Folder. So, most probably we're going to have to run an APK. So, if you're taking this like in mobile application or mobile ethical hacking course, then it's okay for you. You know how to run this APK. If you're watching this for the web pentesting course, I really recommend you guys just watch it from here. Okay, don't try to execute this because we're going to have to install the android studio, we're going to have to install an emulator just to test this. It's taking like two hours, three hours to do that. Just don't bother with it.

It's going to be very easy for me because I'm already an android developer, I have everything in my computer and you can just watch how it goes and take notes if you like. Okay, so, if you don't have any android emulator experience or any android studio experience before, just don't bother with it, just for this challenge, it doesn't make sense to install this. But what I'm going to do, I'm going to open the android studio, I'm just going to open a new project or just select my existing ones because what I want to do eventually, is to open an emulator, not just a project. Because we already have an APK, I don't think we will be working something like a reverse engineering or something that complicated. We're just going to listen the incoming and outgoing requests and responses for that APK. So, I'm going to open any project from here. So, this is a project that I have been working on with Kotlin, but it doesn't matter because what I'm going to do, I'm going to open the AVD Manager, this is the virtual device manager for android studio, and I can just run any emulator that I want.

So, I opened an emulator which is a virtual device of android operating system, obviously, as you can see, and this is actually a virtual phone. Now I can run the APK inside of this phone, and by the way, if you don't know what an APK is, it's an android product like an exe file but for the android phones. We get an error. Let me just try it one more time, here you go. This time it worked. If it didn't work, I believe you're going to have to sign this with Jarsigner or any other tool that you want. If you watch the mobile ethical hacking course, now you know how to do that. If you are very curious about this, I can show you the comments, this is keytool and the jarsigner. These are two comments that is needed in order to run this. That in order to run these comments you're going to have to have the JDK installed on your computer. Once again, if you're not a mobile pen tester or mobile application developer just don't bother with it. If you're here for web pentest, just watch the rest and see how it goes. So, I have installed the APK on this phone, and let's find it. Let me open the screen, let's see what we called it or what they called it. It's a comment APK. Let's see. Do call Matthew. Here you go. This is the one here you go. VAPI. Great splash screen my friend. So, over here it asks for a base URL. So, it should be the of our API, this one. So maybe, we can just copy this and paste it over here. I don't think... we cannot do that, the clip or doesn't work over here. So, I'm going just write it http 134. Obviously you need to write your own, and VAPI. Here you go. Now if I click on 'Save', it will ask me for a user ID and password. Great. Now we have this user ID and password because we created it via Postman. So, the user ID should be two, user password, I don't know if the password, password is atil123. Great. Here you go. Let's try to log in. It says that something wrong happened. Let's see, let's try one more time or let's try to create an account from here. Here we go.

We have a screen over there. So, for the user ID I'm just going to go with three because we already have two for the password. Again, I'm going to go with atill123. Display name, again, just choose whatever you want man. I'm going to go with maybe atil, but we have already used atil. I'm going go with atlas, so far so good. I'm just going to go with register and here you go. Now I know the user ID, which is three, and I Know the password atil123, and try to log in. Here you go. We have logged in. So, let's see what this app is about. So, this app is about commenting I believe, kind of a Twitter, so I can write some comments and I can just send these comments by clicking over here, maybe. It asks for the location. I'm just going to allow it for some reason. If I just send this, here you go. It works. Great. Now this is a great application, but I don't see any issue over here because we're not seeing any kind of JSON responses or we're not seeing the request that we're making because this is an application. User will only see what developer allowed us to see like the user interface.

So, what we need to do, we need to, of course, Burp Suite this, we need to intercept this package with the Burp Suite, so we're going to use the proxy again with the intercept on. But we need to make sure that our emulator has the same proxies. So, I opened the settings of this emulator and if you go to settings, as you can see there is a proxy section, I'm going to go with the manual proxy configuration this time and for the host name, I'm just going to go with 127001. And port number will be 8080, not only 80. So, this would be the same with this. Okay, great. Now I'm going to say apply and I'm going to try and send something from here and let's see if we can capture this. So, let's send this, and here you go. We managed to capture this, so we can see what kind of things that we have inside of this request. We have the device ID. We have the latitude and longitude and everything. So, intercept is on. I'm just going to turn this off because what I want to do, I want to see what happens when we login from scratch.

I'm just going to close this down and I'm just going come over here. What I'm trying to do is to get all the responses back, like with the login response and everything so that we can be sure that we get the flag and we get to see what kind of excessive data that we are getting. So, but the problem is, I cannot login, so I'm going to delete this app. I'm just going to delete this application so that I can install it one more time and then I can login, but for some reason, I cannot delete this application. I believe the emulator got stuck. As you can see I cannot do anything right now. Let me try to close this, as you can see, it doesn't work. So, my emulator got stuck somehow and I cannot even delete this application. So, if you come across in a situation like this, just make sure you quit this. And make sure you open the android studio one more time and make sure you wipe the data or just delete that emulator and install it one more time. So, what I'm going to do, I'm going to go into the AVD Manager and I'm going to find my emulator. Of course, I can just install another one but I am just going to do with this. I am just going to wipe the data and it will reset this emulator and I am going to open it from scratch. The only downside over here is that we're going to have to wait a little bit to initialize this emulator. And also of course, we're going to lose the data inside of that emulator. But it doesn't even matter because it's just an emulator.

It's designed to be reset, if it's needed. Great. Now it's open one more time. I am just going to go to the resources, yep, that's not it, that's it. For the APK and I am just going to drag the APK to the emulator and see if we can install it. Here we go. We managed to install this. So, I am going to open the vAPI one more time. But before we login or before we create an account and let me just give the URL. Before we login, I am just going to make sure we have the proxy. But before we go with the proxy, I am just going to give this vAPI URL from scratch. Make sure you do the same thing. So, I am going to say, 'Save' and here you go. Now we need to login. I believe we can login with the same credentials but I am going to turn the proxy on like this. It's already on. So, I am going to go into the Burp Suite and turn the intercept on. Now it's started to capture the packets, most probably it captures the Google services or something like that. For the user id, I am going to go with 3, for the password I am going to go with atil123 and I will login. Here we go, we are sending this username and password. So, what I want to do, I want to check the post and I want to send this to repeater.

So, in the repeater, I will just send this and see the response, yep. Here we go. For the response we have the success through and the username as well. But for some reason, we don't have any excessive data exposure. We are not seeing, at least I cannot see any excessive data. We only get the success and the username. So, I am going to go into the proxy and send this. I am just going to forward this and forward that as well obviously and forward since we're not getting anything back. But I believe we need to do it one more time. I am just going to login and forward this again and again and here we go. We are inside of the comment app, still we're getting some packets. I am just going to forward everything until we get nothing and go into the HTTP History tab. Now I will check everything that I have done so far. So, for the post request, I am getting some responses back. For the get request, here you go. For the get requests, we're getting a lot of responses and we get a flag. So, what happened? What was the thing over here? So, think that in the /vapi/api3/comment endpoint we're making a get request, and we're getting a lot of data. As you can see from the response of this request, we are getting the device id, we are getting the latitude and longitude, and comment text. And the idea over here is that even though the developer is not showing us this information, even though we are not seeing the latitude and longitude, remember this asked for a location permission. So, it gathered our latitude and longitude. It's not showing that. It's not showing the latitude and longitude to us.

But it doesn't mean that we cannot see it. The idea over here is that even if you're not going to show it to the user, even if it's not necessary, then just don't send it with the response. Because a hacker can easily listen for the responses and just get to JSON back and get all this data that they're not supposed to be seeing. That is the idea, that is why we got the flag back over here. So, that is the definition of the excessive data exposure. So, even if you didn't exercise that, even if you didn't have the Android Studio or an emulator, I believe you get the idea. This is not only for mobile applications, this is for APIs, for the web as well. If you're not going to be using that data, and if it's a sensitive data, the location is sensitive, then just don't do it. Just don't send that as a response back because the hacker can easily get this. So, what I am going to do, I am going to stop here and continue within the next lecture for the next challenge.

 

About the Author
Students
189
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.