Old Fashioned

Share this post
Privilege and What Not
blog.virenmohindra.me
Technicals

Privilege and What Not

Limiting Public API access, sanitizing inputs, and always using secret keys

Viren Mohindra
Mar 31, 2020
1
Share this post
Privilege and What Not
blog.virenmohindra.me

1-min read

I was recently on a startup aggregator website that listed a bunch of startups from all across the world. In the search, you could see at most 10 startups and then paginate, but for someone active in the hiring process that is never good enough.

I thought the best approach would be to check out the Network Tab in Chrome Developer Tools to see how they’re grabbing data.

I filtered till I happened on one of their API calls which were publicly accessible and tested carefully — didn’t want any alarm bells ringing.

api/startups/?location%5B%5D=c447&locationtext%5B%5D=Hong+Kong&all_fundraising=&pro=0&tab_name=recentlyupdated&start=0&length=10

Unfortunately, there was no user-side validation in place which meant playing around with the parameters dumped the dB schema into my lap

You can pretty much glean their entire stack from this single error and figure out what calls to make to extract all intellectual property from this website.

Scary stuff. Stay safe people.


Comment
Share
Share this post
Privilege and What Not
blog.virenmohindra.me

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Viren Mohindra
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing