Privilege and What Not

Limiting Public API access, sanitizing inputs, and always using secret keys

1-min read

I was recently on a startup aggregator website that listed a bunch of startups from all across the world. In the search, you could see at most 10 startups and then paginate, but for someone active in the hiring process that is never good enough.

I thought the best approach would be to check out the Network Tab in Chrome Developer Tools to see how they’re grabbing data.

I filtered till I happened on one of their API calls which were publicly accessible and tested carefully — didn’t want any alarm bells ringing.

api/startups/?location%5B%5D=c447&locationtext%5B%5D=Hong+Kong&all_fundraising=&pro=0&tab_name=recentlyupdated&start=0&length=10

Unfortunately, there was no user-side validation in place which meant playing around with the parameters dumped the dB schema into my lap

You can pretty much glean their entire stack from this single error and figure out what calls to make to extract all intellectual property from this website.

Scary stuff. Stay safe people.