API Penetration

++

testing Report for

crAPI

Muhzin Nassar
1
1. PROJECT SUMMARY
a) Executive Summary
b) Project Details
c) Scope

2. VULNERABILITIES
a) Broken Authentication
b) Broken Object Level Authorization
c) Improper Asset Management
d) Mass Assignment
e) Server-Side Request Forgery
f) Headers
g) Rate limiting
h) IDOR
i) Token
j) Injection Attack

2
Executive Summary

Muhzin conducted a comprehensive security assessment of

crAPI (Completely Ridiculous Application Programmer
Interface) in order to determine existing vulnerabilities and
establish the current level of security risk associated with the
environment and the technologies in use. This assessment
harnessed penetration testing techniques on crAPI to provide an
understanding of the risks and security posture of their API
environment.

Project Details

crAPI defines an API which is intentionally vulnerable to the

OWASP API Top 10 vulnerabilities. crAPI is meant to illustrate
and educate by presenting these issues for you to discover and
exploit.

Scope

Scope Scope Type Start Date End Date

https://github.com/OWASP/crAPI API Pen-testing Aug 5, 2023 Aug 7, 2023

3
No: Vulnerability Severity Status

1 Broken Authentication High Vulnerable

2 Broken Object Level High Vulnerable

Authorization

3 Improper Asset High Vulnerable

Management

4 Mass Assignment High Vulnerable

5 Server-Side Request Critical Vulnerable

Forgery

6 Headers Medium Vulnerable

7 Rate Limiting Critical Vulnerable

8 IDOR High Vulnerable

9 Tokens Medium Vulnerable

10 Injection Attack High Vulnerable

4
 Broken Authentication

CWE-287 : Vulnerable

CVSS : 8.1

Description

When an actor claims to have a given identity, the product

does not prove or insufficiently proves that the claim is
correct.

Vulnerable Instance

/identity/api/auth/login

Proof of Concept

Step 1: Capture the login request with Burp

5
Step 2: Use wfuzz to Bruteforce the password

Step 3: After some time we’ll get the password

Impact

 The primary impact of broken authentication is

unauthorized access

 Broken authentication can lead to data breaches where

attackers gain access to sensitive user data such as
personally identifiable information

 If an attacker gains access to user accounts through

6
 broken authentication, they can potentially steal user
identities

Mitigation

 Implement rate limiting and account lock out.

Reference

OWASP

Broken Object Level Authorization

CWE-639 : Vulnerable

CVSS : 7.1

Description

Object level authorization is an access control

mechanism that is usually implemented at the code level
to validate that a user can only access the objects that
they should have permissions to access.

Vulnerable Instance

/Identity/api/v2/vehicle/{resource id}/location

7
Proof of Concept

Step 1: Go to posts in community and intercept that with

Burp

Step 2: From the above information we can use the

vehicle id to gain information about other users

Step 3: We can change the id in burp and voila, we have

our result

8
Impact

 The most significant impact of BOLA vulnerabilities

is the unauthorized access to sensitive data or
resources

 In addition to accessing unauthorized data, attackers

exploiting BOLA vulnerabilities might also be able to
manipulate data

 BOLA vulnerabilities can potentially enable attackers

to escalate their privileges within an application
Mitigation

 Implement Proper Access Controls

 Strong Authorization Mechanisms

 Context-Aware Access Control

Reference

OWASP

9
 Improper asset management

CWE-282 : Vulnerable

CVSS : 7.5

Description

APIs tend to expose more endpoints than traditional web

applications, making proper and updated documentation
highly important. Proper hosts and deployed API
versions inventory also play an important role to mitigate
issues such as deprecated API versions and exposed
debug endpoints.

Vulnerable Instance

/Identity/api/auth/v3/check-otp

Proof of Concept

Step 1: v3 of that endpoint has been implemented with

rate-limitng headers

10
Step 2: v2 can also be found and it doesn’t have any rate
liming headers present

11
Step 3: We can use wfuzz to bruteforce the otp

otp has been found to be 2228.

Impact

 Security Risks and Vulnerabilities: Unpatched

Systems, Lack of Security Controls

12
 Operational Inefficiencies: Resource Wastage,
Difficulty in Incident Response

 Regulatory and Compliance Issues: Data Protection

and Privacy Regulations, Audit Failures, Loss of
Intellectual Property

Mitigation

 Asset Inventory and Tracking

 Patch and Vulnerability Management

 Life cycle Management

Reference

OWASP

13
 Mass Assignment

CWE-915 : Vulnerable

CVSS : 7.1

Description

An API endpoint is vulnerable if it automatically

converts client parameters into internal object properties,
without considering the sensitivity and the exposure level
of these properties. This could allow an attacker to
update object properties that they should not have access
to.

Vulnerable Instance

/workshop/api/shop/products

Proof of Concept

Step 1: Head to shop page in crAPI

14
Step 2: Add json parameters equivalent to the response
seen above for exploitation

Step 3: Change the parameters in the new request

15
Step 4: With the above changes we can add our own
products, give negative values etc..

Impact

 Unauthorized Data Modification

 Data Leakage and Exposure

 Security Bypass and Evasion

Mitigation

16
 Use Strong Validation and Type Checking

 Implement Attribute-level Authorization

 Use Data Transfer Objects (DTOs)

Reference

OWASP

Server Side Request Forgery

CWE-918 : Vulnerable

CVSS : 9.1

Description

Server-Side Request Forgery (SSRF) flaws occur when

an API is fetching a remote resource without validating
the user-supplied URL. It enables an attacker to coerce
the application to send a crafted request to an unexpected
destination, even when protected by a firewall or a VPN.

17
Vulnerable Instance

/workshop/api/merchant/contact_mechanic

Proof of Concept

Step 1: Intercept the contact mechanic request using

Burp

Step 2: Use burp intruder and add the parameter

“merchant_api”

18
Step 3: Add common ssrf payloads in the payload
section of burp intruder

Step 4: Goto webhook.site and use the URL provided

there so that we can know if any response was made.

19
Step 5: We have 2 positive results and we also got a
response on our webhook URL. SSRF is possible here.

20
Impact

 Data Exposure and Theft

 Server-Side Service Disruption

 Attacks on Internal Resources

Mitigation

 Input Validation and Whitelisting

 Use Proper URL Parser

 Firewall and Network Filtering

Reference

OWASP

Headers

21
Missing Headers

CWE-693 : Vulnerable

CVSS : 4.8

Description

This weakness covers a distinct situations. A "missing"

protection mechanism occurs when the application does
not define any mechanism against a certain class of
attack.

Vulnerable Instance

/identity/api/v2/users/video

Proof of Concept

Step 1: Intercept a request with burp proxy

22
You can see that the header Content-Security-Policy is
missing in the response.

Impact

 Cross-Site Scripting (XSS) Attacks

 Click-jacking

 Data Leakage

Mitigation

 Add a CSP Header: Implement the CSP header in your

web application's HTTP responses.

 Define CSP Directives

 Enforce Nonce or Hashes

Reference

OWASP

23
 Misconfigured Content-Type Header

CWE-693 : Vulnerable

CVSS : 3.7

Description

This weakness covers a distinct situations. A "missing"

protection mechanism occurs when the application does
not define any mechanism against a certain class of
attack.

Vulnerable Instance

/workshop/api/shop/orders/

Proof of Concept

Step 1: Intercept a request with burp proxy and send it to

repeater and change the content-type in request and see if
it has any effect on the response

24
When the Content-Type header is set incorrectly or not
enforced, it can lead to unexpected behavior and
potential security issues.

Impact

 Misinterpretation of Data

 Weak Browser XSS Protections

 Data Exposure

Mitigation

 Set the Correct Header

 Validate Data and Headers

 Test Across Different Clients

Reference

OWASP

25
 Header Fingerprinting

CWE-200 : Vulnerable

CVSS : 5.3

Description

This weakness exposes sensitive information to an actor

that is not explicitly authorized to have access to that
information

Vulnerable Instance

/api/

Proof of Concept

Step 1: Intercept a request with burp proxy

26
As you can see in the response there’s unnecessary
information being relayed.

Impact

 Information Disclosure

 Target for Exploits

 Easy Reconnaissance

Mitigation

 Reduce Server Banner

 Use Security Modules to obfuscate or remove server

information from response headers

 Reverse Proxy

27
Reference

OWASP

Rate limiting

CWE-770 : Vulnerable

CVSS : 9.8

Description

This weakness allocates a reusable resource or group of

resources on behalf of an actor without imposing any
restrictions on the size or number of resources that can be
allocated, in violation of the intended security policy for
that actor

Vulnerable Instance

/login

Proof of Concept

28
Step 1: Attempt logging in with valid email but wrong
password as many time as you can and see if there’s any
limit

As you can see no kind of limit has been set.

Step 2: Now attempt through burp repeater and check

the response

29
Headers for rate limiting is not set for login pages

Impact

 Brute Force Attacks

 Credential Stuffing

 Denial of Service

Mitigation

 Implement Rate Limiting

 Gradual Lockout

 CAPTCHA and Bot Detection

30
Reference

OWASP

IDOR

CWE-639 : Vulnerable

CVSS : 7.1

Description

Insecure Direct Object Reference is an access control

problem that allows an attacker to view data by
manipulating an identifier.

Vulnerable Instance

/workshop/api/shop/orders/

Proof of Concept

Step 1: After login head over shop section and capture

request with burp proxy and send to repeater.

31
Step 2: Send that request to burp repeater

Step 3: Now change the order identifier and check the

response

32
As you can see this instance is vulnerable to IDOR

Impact

 Unauthorized Data Access

 Data Manipulation

 Business Logic Abuse

Mitigation

 Don't auto-increment IDs. Use UUID instead

 Use /me/orders instead of /user/654321/orders

 Implement Output Encoding

Reference

OWASP

33
 JWT (JSON Web Token)

CWE-311 : Vulnerable

CVSS : 4.3

Description

If sensitive data within the JWT is not properly encrypted

and can be easily extracted or modified it can lead sensitive
data exposures.

Vulnerable Instance

/login

Proof of Concept

Step 1: Use burp proxy and capture the login request and
obtain the jwt token

34
Step 2: Copy this token value and head to jwt.io

As you can see the type of algorithm is present in the

header of the token, it should be forced in the backend.

Impact

 Security Bypass

 Inconsistent Security

35
 Attacks on Internal Resources

Mitigation

 Algorithm should forced in the backend instead

through the header of the token

Reference

OWASP

Injection Attack

CWE-943 : Vulnerable

CVSS : 7.1

Description

The product generates a query intended to access or

manipulate data in a data store such as a database, but it
does not neutralize or incorrectly neutralizes special
elements that can modify the intended logic of the query.

Vulnerable Instance

/community/api/v2/coupon/validate-coupon

36
Proof of Concept

Step 1: Head over to shop click on the button to enter

coupon code.

Step 2: Now using burp proxy capture this requst and

sent to burp repeater

37
Step 3: Now we’ll be using wfuzz for faster attacks, for
that change the json parameter like the above screenshot
and copy it and construct the wfuzz command
accordingly.

Step 4: Now run the command with word-lists

containing payloads for nosql injection.

And we have successfully exploited this vulnerability.

38