Frans Rosén Keynote at BSides Ahmedabad

[Music]

[Music] [Applause]

[Music]

we had before being here today and to do the keynote talk this is my title I methodology using fussing and in full disclosure so I haven't done this talk before this is the first time I wanted to make something special for you guys so I hope you're gonna enjoy this I will have some time after for questions and I really want to see the hands in the air like have some really fun questions so my name is France I try to be open and talking about stuff for in the back row like in the part from the community I work as a security adviser at the company called detective fire I'm also CTO another a company called Sentra

which is not doing like security related stuff with more ecommerce stuff I do a lot of hacking on hacker one in bugcrowd and some of the cynic some cobalt as well but I'm trying to like be all over the place trying to identify where to look for stuff and want to actually find and the idea of coming here today is that there's been a lot of advices you know for like fussing stuff for looking for information or trying to hack a bunch of companies and I had some really fun examples that I wanted to to talk about and you all guys know the drill right as soon as you find something on a private program you can't talk about it

and that's so boring I don't want to do that I don't want to like try to censor all the images and try to explain why or like it's let's focus on the vulnerabilities instead the companies doesn't really matter in this case so what I want us to do I want us to actually make up an imaginary app and I will try and see if we can do this together and the whole idea is that this app will be so generic so you can kind of apply the bugs that we will talk about which is really like bubs you can apply it to this but there's no way you might be like into a real company so

[Music] this is just this is not this is not

[Music] as soon as you start using this hat it will make requests to three other places in witness API no examples for fetching user data and use like who is who is your spirit user what other users are there what company are you signing with etc etc on this business topics and about comics you can also subscribe for different subscription fantasy so you will be able to add your credit card and you will able to download existing invoices and this company they wanted to think in a micro service architecture so what they did was they outsource the invoice 10 points to be only provided named around and kind of invoices you as a company so that is not service through

the API and the example of comm it's served on the invoice example all these requests are making sure that they're using proper authentication tokens and everything so there's no like authentication issue with this design because it's always making sure that it's sending the proper authentication headers the third thing is this pass is you can talk together with other people in this in this app so you can send EMS basic and they wanted to build that as a different team it was a different team dedicated for doing the conversation end point so they added another supplement that would only integrate with you know fetching messages or fetching conversations pretty standard structure right you have a micro service

architecture with some parts like distributed in two different subdomains but you still have like a main API that handles are the core functionality now what we can see also in this javascript is that some of the requests will go to the api the example of like as I said the users what kind of users you will fetch all the user information from the API both example as soon as you talk invoices when we see that it has endpoints two invoices getting sent to English for example of what we can also see here is that the invoice team the team building the invoice domain they have iterated of like three times on the API so we have a version three for

invoices the 13 doing the conversation of example.com they have a different API so when we're looking at the JavaScript we see that you can actually fetch your messages from the conversation example

[Music] we see that you can actually show messages from the conversation

now there's some ways forward we now try to break it this is our app let's try to identify the Rabinowitz in this structure and as you see our imaginary app can probably be applied to it so it's a very generic structure but we can still apply this methodology to all of them the first thing is that we want to notate all the api's that we can find and all the microservices groups so this we made the app right now it's an imaginary app we already know we have a bi we have eight points web conversations all of them are being reached from from business examiner so this exercise is over if you would basically look for other endpoints there

might be a pattern in example it might be JavaScript on the business side that when you know give us an athlete it makes additional requests of other endpoints there might be legacy JavaScript somewhere where you can find all 10 points so this exercise for us is very easy because we hope we all know that we are just using these three micro services but there's a lot more to do here if you are actually the focus for us a letter should be number two first number two we will do is extract all the VI n points that we see are being used and we can do this very structure we can focus from the JavaScript that we saw on

business we can actually focus as see what elements are being used to fetch invoice data and what we do is that we try there's a lot of tools there's like Joubert about have basically wrote something called a relative extractor which is like extracting out the record like relative API points in a JavaScript you might be able to just extract all the strings from a JavaScript to actually just get and you can literally search for double slash sometimes to get like all the strings that begins with a slash it's probably relatively API on my team but what we did in this we looked through the JavaScript we try to search for API slash perversion string and we saw that

these are the ones that we found we found version 3 invoices invoices last and ID accounts and an account slash idea what we will do with this information is that we will store this in the best way possible for us to us further what are the ways that I tend to do it is like this what we can do it we can basically say that this is a prefix this is a prefix and there are most certainly more things under API version to me that just invoices most of the time they have something else right in this send invoices they're like me you know there might be payment methods there might be users there might be tests I'm

not kidding like there might be a lot of these things so we want to plus everything underneath geography so we're saving a Edition 3 we also say API because there might be other versions they might be API questions you might be a bi-racial file we also said only the last part the invoices for slash accounts because we want to separate them from the prefix we think this API brush discreetly but we've got to keep the full URLs worth the form so we use API version 3 invoices and as you see here you have both invoices and invoices slash and ID this is a problem for us because we might want to also test invoices without the money sometimes and

invoices but only with the slash sometimes invoices both Jason we want to test all these things so what I tend to say is just an imitator and this indicated for me is basically telling me that this is an endpoint that has an additional cast on it but it might also work without the path and it might also work just in a slash so it tells me those three three things so I can save space in my positives to say that this one we tested with an ID in this fashion nothing and everything so this helps me a lot to like curating this list because what we want to do now we want to like final words braces everything that is

being used by this company and combine that into a long lists of every points so we can fast that everything we have in this company one other end point that we saw was conversation of example this one we find in the JavaScript has three other end points it has to slash all night slash positions that's WebSockets so we convert this and we also know that you can identify a specific conversation with an ID so we do the same thing we say that are used for reference so we know that we can replace that one with a path or an ID or not so now we have this to our office together with the other one the other

thing we need to do we need to go into a lot of different assets to try to find more like what we did right now was we looked at the current JavaScript or the current website that like this is the line things these are the things that are currently now being lied but it might be an old version of these date guys remember we saw person invoices there might be an API endpoint with version 1 invoices so we want to find all those things in all these different ways like you can literally combine these two you can go to web archive to find the whole documentation perfect example of like let's use web part I'm

not to look at the code look at the documentation from two years ago that one had a totally different information we might also look at other as the case may be they have local source like this is how with our business using our API maybe they have a desktop site you can extract the data from the desktop time what we then do is that we create the list of all the different animals and this list we break out from negative prefixes so now we have two lists two different files we have the conversation invoices and users and then we have all the prefixes of all the ones in this sense we also like we should probably add

version for reversal pipe to this list for this company as well because we're pretty sure that they will have some later versions maybe not even used anymore or yet so when you do this and you combine it with all the subdomains you can basically see here that now our frosting just because we found version 3 invoices on immortal example of phone or forcing my combining of these we will actually do a period of example of the form requests with API versions one with invoices something that we never saw anywhere on this on the side but just because we separated all these things and then combining them together in our frosting we will start testing endpoints

that nobody else ever tested because why would they talk with invoices on the API well it turns out and the proxy that talks giving myself API Hume the regular API at that point because why not but nobody had tested that why would someone test worship on invoices where we have an invoice for example something so this helps us can identify endpoints that nobody had tested before just because we used our our our logic to separate all these things and then combining them together so we basically take all the subtle names list all the paths quick fixes some of the path prefix this should be negative right we maybe we want to try API dot example.com slash universe as

well we don't have any and we had some standard parts to this some standard fussing sometimes you turn turns out like the version 1 inverse API on the regular API that nobody tested had a sequel injection in the IT team of payments I'm not kidding like that's the thing that you might find just by doing these weird combinations remember this is the company itself like if you have a weird endpoint of one place they probably use the same taxonomy that developers want to be smart and think about efficient ways of doing stuff so they put two like in the same kind of thing right they want to reuse things as well so why shouldn't we use ourselves as

well so I tend to have these regular you know bunch of characters weird characters back slash slash single-pole double-throw the personal not like trying to find all these things if there's numbers in the idea tested with letters tests everything as - so when we do this combination what might we find by by the labels and this is where the fun part starts because I have examples for all these things so one thing that we might find is that we can find you for all 10 points that is not the news yet or any more one really good example of this was a real life scenario it looked like this there was a message board on one of the kiosks and this

message board looks like this you make city made like version 2 ports and the ID of the message board the message board would give you a list of messages for this specific conversation if you look at the data there's nothing really secretly the message board was public for all the users so one user could see messages from others that's a point with a message board however when we started doing our exercise I broke up you know the API product in the vs. apart and the boards suddenly we get a different version purchased more slack ports and what we can see here is that AB developer also respected TI into something called the Jason API and the Jason API is basically a

specification on how to do a JSON REST API and what we saw on this end point was something called includes if you know about JSON API includes is basically a ability for the server to say that you know and we give you the message words but also you have an option to include the whole user object if you want and this is a pretty convenient because this means that in a regular case fetching the message for you might already have you know information about the users and not to actually just fetch the message world but sometimes you want to maybe on an iPhone app you want to fetch everything so you want to have the information

about each user so when you click on like I would click on a user it will find a player and then tell you all the information about this user now when we saw this we basically realized okay if we have done a query parameter called include user it would append an attribute to the response saying it's a user what was the interesting part here was that when they did the refactor of this message the version for they basically forgot to sanitize the userdata to remove the private properties that should not be publicly available but remember they never do this version four of the message board they never released it never went into any riptide reviews

because it's not being abused right it's not like so nobody went through with that verify that you know you should you should not show these private properties so what happened was just by utilizing a mobile use maybe I that wasn't released yet we saw that we could in clear the user we never think you sir and suddenly we get data that we should not get so now we can send our first report to this program it tell the new version of Jason API for message boards leaks all the emails and phone numbers for all users anybody that ever interacted with the message board has now email and password just by us utilizing this new wave man

another thing we might find is that micro services remember destruction you have an api inverse conversation maybe they also interact through making their own calls internally this means that when you talk with the employees API maybe there's five micro services on the back doing certain things maybe they have a endpoint for internally to generate the PDF for the others maybe they have one endpoint for in with the payment methods for adding credit card beta because maybe they need to be psi certified psi PSS saying they can't handle credit card beta themselves they need to outsource that so maybe they have a micro service just handling that kind of data and we want to identify if any of the endpoints that we

find interacts with something wrong on there from the server side respectively and this is a really good exercise and it might have a perfect example of this where I was able to identify that yes a micro service in the fact was being used and also a way to abuse this is what I saw remember or not we have question three invoices and an ID and remember what I did before right I had a star of three voices because I want to test without IDs I want to test with IDs I want to test with a slash but I also want to test with like busting characters what I would see what I would do what what is the first edition of the

read question would do if you saw this what would you test for four letters either right you see how many voice one two three the first thing you would do is to test like one two four you get an ID for you get that URL or downloading the image that you own but when you shake it one two four of course you want to test like can i download someone else's imports it would tell you access denied so now you know they have a proper access model of accessing invoices that's good right but we want to first this so when we try a different ID it tells us access denied they're right we tried with our Costas

we try double quote it doesn't say access denied anymore it says that you write interesting there's something other interesting on this one can you see version one this there's a victory sphere this happened for real and I saw this and I'm like I sent the two version 3 but it gives me an error aversion one that is interesting that you were ever like sent posted with question 1 so why why this what is going on here I have a possible explanation I still don't know but this is a possible explanation the possible explanation is that the code they use looks like this they have an endpoint on version 3 invoices there are looks like this you have API version 3

invoices everything after that will be our ID then the function on the server side still we don't know it this is dead truth but this is a possible explanation from the error that we saw is that they're making an API call on the service identity and this server side call that they're making to an internal API have access to their basically appending the ID to the invoice versus one because the internal API to download the PDF invoices is usually person one instead in our case our assumption is also that how are they knowing that one two three we should have access to but one two or we should not our assumption is that they actually have hand token in the

parameters and I will tell you why so this of course explains the bad URI at endpoint that means that we send in double code here but this API call will say but I don't know what URL has double quotes I will tell you no this is a bad URI and that's how we see that kind of error now what we want to do now the first thing we want to do is that we want to identify if our theory is right so when I put the word bust in here that basically means that part we gotta test with the word lists of regular parameters so you understand what the possible cost means anything that we

want to test we want to iterate and see if we can find any difference for testing like the word API or the produce or the word token we want to test interagency if you see a nativity so our first practice that we want to do is that we want to send and verify that we can send additional query parameters because our assumption is that there's an API call on the other end that we want to inject like a query smuggling on the internal indictment so if we would send the first because to see here if we would send that one those three parameters would never descend to big turtle because as you remember on this

one here it depends its own query parameters so this one will ignore those parameters however is we European code we might get like because this part will now turn into an ID from here forward to give and if we're lucky they actually you were able to code that part or the routing system does it by itself like that's what's going on in some of the routing systems this year and the coding takes his handle automatically so they would never see they do a little bit part they will actually get as the ID the question mark part and their person so we start passing this and trying to see what happens now our theory is that the server-side code

will look like this this is the part we injected and hopefully we will get in the token in the internal API request so we do this there's like regular there's a third parameter list that you might use that it's like really comedian to pass all these regular ones and we run this and suddenly on token we get access denied this is awesome for us this is an indicator that token that we sent in as X made the request saying access denied and remember this is to the image that we didn't have access to but just by including a query string with Tokyo X we don't have access to it anymore so this tells us that token parameter is

used for authenticating you on the internal area so even if we get access denied here we are really not here because we have identified that we can do personal smoking to an internal API we know exactly how the authentication works this is that's everything we need now the interesting part is that what we want to do here is that we won't be able to get a different thing boys we don't know the difference all right how do we can smuggle in our own token here it won't help us to get one to four because we don't have the user or different voices we don't even know what our documents we have no idea want to talk that they are sending to this

end point actually is so what can we actually do with this well we can stop doing a query string smuggling and start to win yeah this is that basically the confirmation when you start to win half two versus them the interesting part will have traversal is that we now know that we are talking with an API on version one in versus when we're sending into Version three we know because smuggle but we can also eliminate table can see the first and we know we're talking with invoices on the other side so lets us instead move out to be moved let's use total /url encoded and try to go outside the invoices part but in the

internal API so we you rarely code this and we start passing but what we also want to do is that we want to eliminate the token parameter we know that the token parameter was used to validate that it's a user sending the request so our assumption here is that if we talk with a different end point that end point you know might check that but there's a user token here the user talk it should not be used in this internal API call so what we can do because we know that we can smuggle queries we can also eliminate query strings by using fragments on percentage 23 is URL encoded fragment sign which means that if we send this if we do a path

traversal back out of a noises and then make a post list of the course that might be there and then here's the fragment part we know that the request made to the internal API will not use the user's organ anymore and this could actually help us this might mean that they have a checked making sure that no users are talking with other endpoints and therefore when the totem is in the query they will just say access denied this user is not allowed but what happened if you send an internal API basically just checks if the token is there but if it's not there it's a legit request this happened for real so this is actually a

case so what we do is basically run this on the posting list and suddenly a toast gives us theta and we remember from before we saw version 1 or version 3 inverses with we also saw version 3 accounts right so we know that not together with the probe can image and when they token we we already brute force our own version versus free on the converse API and that one didn't give us anything interesting but now when we use the fragment sign from this endpoint eliminating the token parameter we actually get paid and not only they that we get all the invoices for all their times so this is our second report we have a report of a few hours on getting

access to all a most accounts due to the fragment elimination of the token stream perfect this is a critical this is the assumption that we have that the request was looking where we actually got is working we've made a request to the version three but that who made an internal API call to API mention one invoices it made a path to cursor back to accounts and then we eliminated the token parameter so the topic parameter is not to use another way forward is that let's look at other things in the JavaScript let's not just look at the API and let's look at what kind of other strings are in this json' and what we might find by doing that is that we

might find peace or tokens that are expected to be sequence you know what like if you have a company and you have a JavaScript file you probably don't have your own internal API piece in the JavaScript right that would never happen but hopefully you don't have that but the thing that you should think of is like there's a lot of third-party applications out there and those third-party applications might have really sucked the documentation that is not really clear if this API key should be public or not there might also be third parties that are intended to have public API keys meaning that you should have the API key in your jump it's a legit usage on what example that I want

to show you is something called sunders accessibility has someone every new standard salty interesting this is Miss Venice good information so what I found in one of the javascript files was this you had a CD key and you had a CD Nexus URL see this 10% nest and what you see here is you saw like a cached API key and you solve this accessed a table T what I saw this I'm like yes I have EDI key access I can just go to the service KPI for this customer and I can just get all the data I took the key and I made a call to this and this API and they're like no this is not an API key

this is not even know the Yankee looks like some what is this the interesting part it was the access GWT they started searching for house unless uses a access JWT and it turns out they used it for episode and SSO mean this thing in final so basically my works is that lets say you have a map and you want to have like a link that says go to our support and what you want to do is that that name if you're signing to the website they want you to be signed in on Sundays as well so the intestate ability to transfer data over from the company website to send lists and they won't send us to unpack this JWT and basically

sign leeuwin automatically and you probably see where we're going with this having these key means you can sign the JWT yourself the Genoa team looks like this you basically have five parameters this is like the sender stainability solution for a single cycle design on instructure the first ones are basically just a date and I do unique ID they can be whatever then the client needs to be very much aligned to the current time so it's like a UNIX micro time of the current date so they can like expire if the data at least go up to old the second part then the world is third world and the fourth part is basically the name and the email of the current

user that you want to sign in as but the interesting part is the sentence doesn't really care what you send in there as long it is a unique email address the interesting part is the fixed one the user ID that you want to hijack and remember reducer I need even a website tends to be a public thing if you have profiles or conversations between two users you probably will see it's not a secret some of the users are numeric Becky's right if you can sign this JSON and senator Sanders will sign in as the user ID provided in the beta meaning he was seeing all the above the support tickets this user you can just

find the user ID and then sign in as that user in the support family asking them to change email New York so this is how it works you find in the gemstone in the JWT and ascended to the access date ability for this customer and then then we give you back a session together in a faster digest which is basically like this will sign you in as that user so now we have a third report account hijacking support panel because of publicly disclosed standard SS okay and this is the only reason why this was a vulnerability it was that they didn't read about how this logic worked with this service a secret they didn't know

that it was a secret because it basically said it Yankee and it's not an API key because they di doesn't use it so they're like this is probably not a secret but it actually is another thing that we might find another example is basically something that is intended to be perfect this is an allegory an API key the summer recognizable gulia someone seen a Maria or raise your hand okay some of you all right this is not tended to be a see this is actually a public information if you're using a movie you're probably using it for autocomplete for a fast search solution on your website but these parts that you see here is not

secret true they are intended to be used on a website publicly in the JavaScript so no variability here really we see that to make the base of the index name is literally called public the database and when we make a request we can actually take these three things we have the API key we have the app ID and we have the index name as soon as you have those three we can actually request well do the exam and then we just make a query without store sign around or asterisk and see what the day facultative this movie was the first result of the query when we see that we see that okay it has a user ID and I

usually that's it but what we might do when we see this is that we might look at it the other indexes that we might talk to we look in the code we try to see that okay there's not only a public database because when we talk about user database algun dia we'll say about index is not allowed for the signals or for this API key so now we know that the a VIP with source code scope means that they have said that this should only have access to the public database but what we have right now is that we have the app ID which means we can search for in all the information we have about

this user or this company we will contain this database we know there's a relation between the app ID and the database called usually B and we know that the API key we found a scope to not view and we start looking at the web where we start looking at the history of this this website we start getting another JavaScript files and other sub domains from his company suddenly we found another API publicly so this public API key was an old one that was being replaced but we made the same request the user database and suddenly we get all the interests so we try to figure out ok so this another problem exactly what really happened

there and the theory is they basically had a no scoped API key back to the day and they moved to a properly scope one because someone said so but they never forgot to revoke this all day yet they just thought it what got managed in like the depths of Internet but we actually found it because we looked at web archive and now we have a word report we basically get emails important for all users disclose due to a sensitive data in a publicly open or cooler database this database was supposed to be public but they utilized a new layer of service line because of nubia is also you want to use it because it's so fast so

instead of only we think that they're they just added a private thing than ammonia and they thought they were smart because they scope the API key they occurred to use but they forgot about revoking the old ones that's what happened now another thing we might find in fact when looking at the JavaScript that we might find environment variables that was used in your CI unification this is a very very common issue so when people are building the code for their websites using continuous integration CI Jenkins circle CI whatever they use Travis sometimes when they build the code some of the modules that they use in node for example more in composer are similar they actually dump the environmental

variables when building it sounds ridiculous but it's a hundred century this has happened multiple times that when you actually look up look at this you would see this in a judgment is anything standing out and screaming vulnerability in you have AWS access key for the production and you have an AWS secret access key for production they would just stop there in the sea identification of their JavaScript and they never thought that that would ever be a public thing right but suddenly it's just in the JavaScript so what what I did in this example was I noted I loaded my my see my version of a double yes I use the secret key and that to

speed I ran out to of it just verify that like this are actually working and I asked the company can I check what they are doing they said yeah but we probably will notice that you're doing that and I'm saying that that's fine and I made like an SVG list and I got all their buckets that they ever used for everything I had their Terra firme scripts for provisioning I had their CloudFormation scripts for provisioning I had their source data I had their public clothes I had everything that they had was with these keys that was accidentally published to tomb unification in their Siena here's a guy with a horse another thing we might do is creating

word lists so this is the kind of essence that I want to like tell you tell you that it's so important because some of the build was by commenting understanding the context of like this is the parts of API we wouldn't be able to find the we actually showed you if we didn't create this word list and I do this for every program I try to take you know internal indicators so we have the different indicators telling us that we reach eternal this stuff I tend to use like a subdomain list we know what subdomains are working for this company I tend to use multi path all the three fixes all the endpoints so we have all

these for this company because this might be invaluable in a couple of years that we want to test this program again and it is so easy to put back into context because you have all the ad I am you also want to build income bar and one really is a way to actually do this let's say you've been using Burke Burke for a long time and you hang around to the website and you just want to extract all the data there's certain things you can do with one super easy way it's just literally to select in the proxy history select all the you know sort on URL take all the API endpoints complication go into the console PB paste in for example

and then you cut it on the delimiter tab character and in my case URL is like the port I think that's the default and even burn and here we get all the paths so I would just sort them by being unique and now I have like my first workers in this sentence I will start using this data to start separating them to this is just like a really quick way to just get all the things that you may be playing around with to get like a list for being used for this word super easy another thing we want to do is we want to apply context we want to show why humans are smaller than machines so in

this case we see this we see version 1 payments payment methods and we see there's one shipping in this sense we would literally like okay what can we add to this list as a human problem machine but this is a pretty basic example but as a human looking at this I would probably add shipping methods as well because that's what developer does they want to reuse things they want to have the same kind of pattern or lower so why wouldn't we and remember this shipping methods was never disclosed in any way in any JavaScript but just because we are looking at it we kind of see that make sense an example because that looks similar to other things that

we've seen in this API never disclosed anywhere but still we would shake this end point just because we apply context to this and the last part that we want to do is possible like I can't stress this enough you want to test so many things we want to test all the HTTP methods most passionately put all of them we want to test with IDs and not IDs and wit slash or not slash and we want to test dot JSON and without exception if you already always have file extensions those pilot we wanna we wanna like we are black box in here we don't know every kind of see how they are working out there became tip have literally

released was a guy doing a blog post just like it and it was a week ago or something where he literally said that he could bypass the wall because he were standing at the request to a ten-point had a peep statement saying if you get no validation else likes tea plantation because a host can can always r-value validating CSRF no bills because the inspector said it yet show this pages else check the see search okay but the thing was held it was never like selling a sea salt on them but the code path basically said the sea salt okay is already checked so just by that tip statement just by sending ahead requests one endpoint they

bypassed ever using this methodology also again you want to combine one of just missed end points you want to skip past upon the trial methods add regular custom characters backslash in person fragment want to test all these things no characters literally there are a bunch of places that just the Crassus gives you a stack units just record by the human enhancement always keep it in your pocket so to take aways from this you want to create your own context specific word lists you want to combine everything with regular posse that you've already done anyway but now we have context now we can reach endpoints that you never reached before and you also want to understand and learn as

being this close remember the battery where i the battery where I told us so much information just by an error there were no access this course which is a different error message for them when we will didn't do it the first thing that told us so much

so any questions we have I don't know raise your hand if you have a question my favorite posting - I used intruder a lot in Bern I use be fuss about I think I hadn't found my favorite fussing - yet because I don't think it exists I tend to so what I see with the problem with Posse tools is if they only check status code or only check content length or only check what kind of data is in an account that you would always miss something so I wanted to be not smarter than just checking one of them I wanted to check one or all of them or none of them like I would have like combined

that logic in a very specific way and I want to have it as smart to actually understand how it's supposed to it by you saying you know it's testing a endpoint that it really knows doesn't exist and that compares all the things but still understand that if you're sending a word that is really long the constant length will be longer because it is reflexive right so stuff like that and I haven't really found that to be the easiest one is hurt because you can sort it and see the sort of yourself oh I couldn't hear you sorry how I create that's a good question okay now I categorize really what abilities with nan like with no more abilities and I

think it's also context related so sometimes you need to understand a good example of this is iron right so in a band if you would maybe to do an ID or and see someone else's bank statements that's a little bit early but if you're like thinking about Bitcoin looking at another wallet is per defined like a proper way to use people so you can't really talk about the night or being able to look at another wallet in Bitcoin because that's how it's supposed to be done so it's all about context it's all about understanding what's the dangerous the things for this company so it's not an easy answer you want to see like a comment in the

code saying this is a vulnerability that I might see that but I mean that's not what's happening most of the time so a lot of the times we need to understand like if this company and you can verify this on other things right so if you would go to the in in the example of us getting the email and the phone number of the user if we looked at you know looking at the regular user endpoint when you go to our profile for another user you want victory but there's no email address here there's no phone number here they don't want to show that for all the users of course they don't want to show that why

would they disclose that picked up but when we saw it on our different endpoint we came to realize this is not intended this state that was not disclosed before but only on this endpoint I was able to get the email and phone number so that kind of gives us an indication that if this point is so different there must be something wrong with it so I felt as a developer I would look into making sure that the API we were using are the ones that actually working so one of the examples I showed you was that they had mercenary through eating voice you should make sure that like versions through a person one doesn't even

existed like when you actually you be moving your your things or like another solution is to make sure that your you also are checking those for the same kind of your abilities like one of the examples I was that a new API was disability female victim that's a really a hard one to catch because the better person might not even introducing it in you know the documentation or swagger or something they just introduced it because someone was refactoring there may be eyes and they haven't even you know put it up for reading so it's really hard to make sure that like all the entrants that we have that we're testing that one like one of

the things that I would tend to do is that one thing to be that you automate creating swagger wise internally based on the routes that are being evaluated instead of disconnecting the Swagger's so a swagger is made by hand you will always have a disconnected so I tend to like force people to have some form of automation to disclose what routes are actually active that way you made to identify that input you're not using anymore are still publicly available for new endpoints that is not be used anymore or publicly available that might be like a good solution to it because there will always be a disconnect between the publishes swagger if you have the public aid and the actual real

life scenario routing that's literally the first thing I do the company that I want to look at together with the developers I'm like give me your knocking why thanks give me all your rocks some of them sending me a link to the public that's not the truth I will tear out from their code like okay miss Wagner contain 50 pots but when you look at the routing it has 25 and then you understand there would be a problem so that might be a good training session to actually extract them from the real problem instead of having the disconnects laminate

[Applause]