Old Fashioned

Share this post
Privilege and What Not
blog.virenmohindra.me
Technicals

Privilege and What Not

Limiting Public API access, sanitizing inputs, and always using secret keys

Viren Mohindra
Mar 31, 2020
1
Share this post
Privilege and What Not
blog.virenmohindra.me

1-min read

I was recently on a startup aggregator website that listed a bunch of startups from all across the world. In the search, you could see at most 10 startups and then paginate, but for someone active in the hiring process that is never good enough.

I thought the best approach would be to check out the Network Tab in Chrome Developer Tools to see how they’re grabbing data.

I filtered till I happened on one of their API calls which were publicly accessible and tested carefully — didn’t want any alarm bells ringing.

api/startups/?location%5B%5D=c447&locationtext%5B%5D=Hong+Kong&all_fundraising=&pro=0&tab_name=recentlyupdated&start=0&length=10

Unfortunately, there was no user-side validation in place which meant playing around with the parameters dumped the dB schema into my lap

You can pretty much glean their entire stack from this single error and figure out what calls to make to extract all intellectual property from this website.

Scary stuff. Stay safe people.


Share this post
Privilege and What Not
blog.virenmohindra.me
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Viren Mohindra
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing