YOUR TECHNICAL
DEBT IS MY BUG
BOUNTY
Katie Paxton-Fear @insiderphd

ABOUT ME
• My name is Katie (she/her)
• I have a PhD in Defence and Security
and a background in NLP/AI/ML
• I used to be a developer before I
realised I didn’t like my job
• Accidentally fell into cyber security
• Not sure how to get out, I have
passed the event horizon
• Well known hacker with a YouTube
channel

BUG BOUNTY IN A NUTSHELL
• I get invites by companies to hack
them
• I hack them and tell them about
how I did it
• I get paid per vulnerability I find
• If I don’t find anything I don’t get
paid
• Targets tend to be very mature and
will only accept flaws – not best
practices
• Think big silicon valley companies

READ THE DOCS
Or how I figured out the exact software version of a dependency of a dependency
with just API requests

WHAT IS GRAPHQL

MULTIPART/FORM

--------------------------cec8e8123c05ba25
Content-Disposition: form-data; name="operations"
{ "query": "mutation ($file: Upload!) { singleUpload(file: $file) { id } }", "variables": { "file": null } }
--------------------------cec8e8123c05ba25
Content-Disposition: form-data; name="map"
{ "0": ["variables.file"] }
--------------------------cec8e8123c05ba25
Content-Disposition: form-data; name="0"; filename="a.txt"
Content-Type: text/plain
Alpha file content.
--------------------------cec8e8123c05ba25--
GRAPHQL MULTIPART FORM?
BASICALLY: IT’S WEIRD

WHEN IN DOUBT GOOGLE

CAUSING ERRORS

NARROWING DOWN THE OPTIONS

I AM A SECURITY RESEARCHER

JACKSON DATABIND



THINKING CRUD

RESTFUL STRUCTURE

CRUD IN ACTION

EDIT FORM
SUBMIT
403 ACCESS FORBIDDEN

WHAT IF IT’S PRIVATE???



QUIZICIAL
Balancing performance against security

WORKING WITH MOBILE

EFFICENCY

BATCHING

Question and answer

Automation



THE TRUTH ABOUT API
HACKING
IT’S NOT SPECIAL

WE ASSUME APIS ARE SPECIAL
• They LOOK different
• They have a different use case
• JSON is scary
• They’re the same as any website
• Yes they look different
• But the vulnerabilities aren’t wildly different

BUT I DON’T KNOW BURP / POSTMAN
YOU DON’T NEED TO LEARN SOMETHING NEW
YOU CAN USE WHAT YOU ALREADY KNOW

API BUG HUNTING
• I can categorise my bugs into 2
broad categories
• Issues between the interface
and the API
• API will return more data than the
UI shows
• Access control
• More boring to talk about but very
common

MOST API HACKING IS MORE THINKING
THAN TECHNICAL

SAYING THAT…

I WANT TO LEARN
The college course you wish you could take
Web Hacking 101 – FREE ON YOUTUBE
Launching 19th

WHAT NEXT FOR API SECURITY?
• Many systems are no longer
designed
• But a mess of APIs, no-code
services, IFTTT, etc…
• Race for new and shiny often
means limited security
• If your system is a collection of SAAS
where does your responsibility start?
• The weaknesses between services
• E.g. prompt injection between Bing
Chat and ChatGPT’s API

WE ASKED PEOPLE ABOUT NOVEL
TECHNOLOGY
• The participants spoke a lot about how
technology like AI has security risks
• They even highlighted specific vulnerabilities like
model poisoning
• But even when prompted they didn't speak
about HOW these would be connected
• API security is seen by a lot of folks as a
"solved" problem, or even that it doesn't
matter
• Thinking more about data at rest vs in transit
• Maybe bias? Maybe APIs are dull?
• We don't know!
• Is this research you'd like to be involved in?
Please register your interest! We'd love to get
more API folks involved
https://forms.office.com/e/LYmbcfNTWe

TLDR: APIS ARE VULNERABLE
• That's it
• That's the tweet

@insiderphd
Katie Paxton-Fear
insiderPhD
@insiderphd@infosec.exchange
katie@insiderphd.dev
sponsors@insiderphd.dev