This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.
Hi, within this lecture, we're going to install the vAPI inside of our server. Right now I'm inside of my server. I have connected via ssh, and it seems that I cannot type anything, so it means that I have lost the connection I believe. So, if you experience the same thing, make sure you close the terminal and open it one more time and connect to your server again using the ssh or the web interface or party. As you can see, it says broken pipe, which means that I lost the connection. So, it's easy. I'm going to do ssh one more time and give my password and hit 'Enter' and then I will be in. So, as long as you are inside of your terminal like this, as long as you see this route at Ubuntu then you're good to go. Now what I'm going to do, I'm going to open this Github repository one more time because that's exactly what we need in order to install this. So, we need PHP, we need MySQL, MySQL or we need other requirements or other dependencies as well, but you don't need to worry about those because we need those inside of the server, not inside of our own machine. Of course we can try to run the local host but it won't be as realistic as it is. And also it will require us to install a lot of things. Right now, I'm just going to copy this GIT, GIT URL, rather than downloading the zip. I'm just going to copy this and come over here, and put it inside of the Apache server directory. So, I'm going to run GIT clone of course, and GIT will be probably installed on the Ubuntu automatically. But let me see, I'm inside of the route. I'm going to try to go back, and then if I say 'ls' then I can see the v a r var, and then I'm going to cd/ var/www/html But it doesn't exist, there is no such directory. Great. Which means that I don't have Apache. As you can see, I cannot go into the var/www/html folder, which means that I don't have the Apache. But let me be certain, I'm going to run this Apache command and see if it's installed on my system or not. If it's not, then I'm just going to go ahead and actually install it. So, inside of the var, I don't even have a www folder, which is again an indication that my Apache service is not present. Here you go. Service apache2 status, gives me could not be found. I'm going to run apt install apache2, which will install the apache2 on my Ubuntu server. Of course, I'm going to say yes. But as you can see, cannot fetch some of the archives, it cannot to the Internet or it cannot to the server for some reason. I'm going to ping the google.com. Here you go, it works. It's connected to the Internet. Obviously it's connected, otherwise we wouldn't be able to connect to the server at all. So, what I'm going to do, I'm going to run apt update --fixed-missing. It's actually a very good idea to run apt update or apt upgrade, depending on your situation, once you create a server. Now we haven't done that, so most probably that's why we cannot install anything. So, I'm going to run apt update as well. And here you go. I believe this is now okay. So, I'm going to run apt install apache2 one more time, and I'm going to say yes, obviously. And here you go. Right now it's progressing. It means that it's installing. It couldn't download the thing previously because we forgot to actually run apt upgrade or apt update. Here you go. So, I'm going to clear this thing. Right now I should have www folder over here. So, I'm going to go see the /var and run ls. Here you go. We have the www folder. Now I'm going to go inside of that folder and also inside of the html as well. Currently I'm inside of the var/www/html and I can see the index.html over here. So, this is our web server, so this is where I will run this command, GIT clone. And I'm going to run this https://github.com. So, if you want, pause the video here, just copy the command: git clone https://github.com because that is exactly what you need to do because it will download all the codes inside of your server and if you run ls you can see this 'vapi' vAPI folder appearing in here. So, you can go inside of that by running cd vapi, and here you go. Now we see all the contents and in fact we have seen them in our own computer before. Right now I'm inside of the vAPI directory. So, let's go to README and see how it's installed. So, for the Docker installation, it's actually very easy. All you got to do is just run this docker -compose up -d. So, it has been dockerized for us. So, if you run this, it will just execute everything, install all the dependencies that you need and run the server for you. It's very easy to do. All you got to do is just copy this and paste it over here. Of course, we should be inside of the vAPI folder. The Docker compose cannot be found, so we have to install this as well. So, I'm going to say apt install docker first of all, and I'm going to say yes. So, it's going to install the Docker, and I believe we have to install the Docker compose as well. So, docker-composed, apt install docker-compose. Here you go. As you can see this is around 360 megabytes, so it can take a little bit time. So, after this is installed then you can use Docker to instantiate your API. Of course, without the Docker you can manually install this as well. But if you're not a web developer, if you don't have any kind of DevOps or backhand development experience before, I really suggest you stick to the dockerized thing. So, here guys you can see it's almost done. And after you see the screen, you can clear the thing and then run the docker -compose up -d one more time. This is all you got to do. If you run docker -compose up -d, as you can see it's started to pull the dependencies like it's actually installing MySQL right now. If you don't have PHP on the server it will install it. If you don't have MySQL, it will install it. If we don't have anything else, it will install it. Very good. Now as you can see we're going to have to wait a little bit and see what's going on. And then after this is done then we're going to actually run the API. By the way it's step 104, it's actually installing the PHP right now, I didn't even have that. And after this is completed, I believe it will automatically run the API, and it will automatically run the API in the background, so that we won't have to do anything else at all. So, if we look at the manually installing the server, as you can see we need to set up the database manually, we're going to have to install the MySQL manually, and so much more. So, I don't think you should focus on that. I believe you should just run Docker composed up, in order to make this up and running. And then we're going to focus on the penetration testing site. So, here you go. I'm going to wait a little bit. Here we go, it's finished. It's finished but I believe we got an error. So, as you can see we got an error over here, maybe you didn't get that error but I got. So, let's see what kind of error do I get. So, it says that the address is already in use, which means that we are using the port 80. It says that you're using the 0.0.0.0:80, so it cannot create the API. So, something is using the port 80 in our own server. So, I suspect it would be apache2 because we have just installed it, but of course we can kill it, we can make it stop and just let the API do its thing. So, what I'm going to do, I'm going to open another tab over here, actually we don't need another tab, I can just do it over here because I lost my connection somehow. I'm just going to give my password one more time. I don't have to do everything from scratch. I know something is using the port 80. So, I'm going to go back to the same folder cd /var/www/html and if I run ls, I'm going to go into vapi folder as well. Right now, if I run the Docker compose one more time, it won't matter because the port 80 is in use. So, I need to understand what is using port 80. In order to do that, you can run lsof with a column 80. So, this 80 stands for the port number. If you're looking for 80, just write 80. And here you go. As you can see apache2 is using the port 80, and that is what is blocking us to launch the API. So, I'm going to kill the apache2, so that we can run the API in a proper way. So, all you got to do is just run kill and write the PID number over here. This is the process ID. So, for me it's 3428 and it will kill the apache2. If I run this command again, as you can see there is nothing using the port 80. So, if you did not get this error then you shouldn't do that. You shouldn't bother doing it. But as you can see, I got error, so I'm going to run the docker compose up -d one more time, since our dependencies is already installed, I believe it will just start the API. And here you go. Now it says that starting API it says done. Now I believe it should be okay. Now if I run ifconfig, you will see that a lot of thing is going on over here but what I'm going to do, I'm going to find my IP address. Here you go. Of course, you can copy and paste it from the digital ocean as well. But I'm going to run this and paste it in my browser to see if it's running up. Here you go. Now it means that it's running. So, it shows the Laravel because it's written in PHP, but we are not interested in this right now. All you got to do is to reach the API itself say /vAPI over here. And here you go. Now we are inside of the vulnerable API documentation, which is exactly what we need. Now if you see this screen then you're good to go. You are ready for pentesting. Of course, we're going to install some tools for pentesting as well. But aside from that, we are good to go. Again, if you don't want to set up your own server or if you don't want to set up your own API just take notes, or just watch the lectures. I believe you will learn something in this section.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.