当前位置: 首页 > article >正文

【API安全】crAPI靶场全解

目录

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

Challenge 2 - Access mechanic reports of other users

Broken User Authentication

Challenge 3 - Reset the password of a different user

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

Challenge 5 - Find an API endpoint that leaks an internal property of a video

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

BFLA

Challenge 7 - Delete a video of another user

Mass Assignment

Challenge 8 - Get an item for free

Challenge 9 - Increase your balance by $1,000 or more

​编辑

Challenge 10 - Update internal video properties

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens


似乎只能本地访问,所以直接windows本机部署了: 

GitHub - OWASP/crAPI: completely ridiculous API (crAPI)

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.

  • Find an API endpoint that receives a vehicle ID and returns information about it.

 

 Community里随便访问用户

 抓包拿到其vehicleid

记录一下敏感信息 

nickname: "Robot", email: "robot001@example.com", vehicleid: "ec9c90c0-8647-47f7-960e-4d0012cec600"
nickname: "Pogba", email: "pogba006@example.com", vehicleid: "8104792f-a7a2-44ae-ba99-d8a5de8ae8f6"
nickname: "Adam", email: "adam007@example.com", vehicleid: "887eb746-2d93-4373-8b93-56f1cd7dbd51"

访问8025端口的车辆邮件

 获取车辆

刷新定位,抓包

带着前面信息泄露的vehcileid访问即可

Challenge 2 - Access mechanic reports of other users

crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process

  • Find an hidden API endpoint that exposes details of a mechanic report

  • Change the report ID to access other reports

 提交维修报告,抓包

 返回了一个查看报告的url

 访问

修改report_id查看其它用户提交的维修报告

 

Broken User Authentication

Challenge 3 - Reset the password of a different user

  • Find an email address of another user on crAPI

  • Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.

 修改密码

提交,抓包 

 

 可以填入泄露的邮箱&爆破OTP

 opt爆多了会拒绝访问

 将v3改为v2,用历史api爆破

修改他人密码成功 

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

challenge1的community界面抓包后forward即可批量读取敏感信息

/community/api/v2/community/posts/recent?limit=30&offset=0

 

Challenge 5 - Find an API endpoint that leaks an internal property of a video

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.

个人信息可以上传视频,抓包

  

 请求

/identity/api/v2/user/videos/6

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

 

 

将失败后重新请求选项打开,请求次数设置为大数,并将mechanic_code改为错误的

BFLA

Challenge 7 - Delete a video of another user

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos

  • Delete a video of someone else

注意RESTful风格预测性 

将challenge 6视频信息泄露的GET方法改成DELETE方法,发现需要admin

将/identity/api/v2/user/videos/6改成/identity/api/v2/admin/videos/6

 

Mass Assignment

Challenge 8 - Get an item for free

crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

  • Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.

 

查看订单细节,抓包 

PUT方法修改quantity(数量)

 

成功零元购了一个商品 

 

 

 

Challenge 9 - Increase your balance by $1,000 or more

After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.

增加数量,测试出可以将status修改为已退款returned 

 

令status为returned 

成功爆金币 

 

Challenge 10 - Update internal video properties

After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

 和challenge5一样,先上传一个视频,GET方法请求信息

 PUT修改文件名

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

和challenge 6的接口一样

将 mechanic_api 的值改为http://google.com

成功SSRF

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

靶场的nosql数据库是mongodb

抓包

payload:

{"coupon_code": {"$ne": "test"}}

返回所有 coupon_code 值不为 test的数据,拿到优惠券的code为TRAC075

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

 sql数据库用的是pgsql

先验证 TRAC075

抓包,再forward,看到

payload:

{"coupon_code":"1'or '1'='1","amount":75}

 

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

/workshop/api/shop/orders/1

 

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.

jdk21环境下下载JWT Editor插件

dashboard处抓包forward访问到/identity/api/v2/user/dashboard

可以看到插件已经识别到Authorization请求头里的jwt

repeater中可以看到JSON WEB TOKEN选项

选用空算法伪造攻击 

 

伪造邮箱,成功越权 


http://www.kler.cn/a/328605.html

相关文章:

  • 搜维尔科技:SenseGlove触觉反馈手套开箱+场景测试
  • 游戏引擎学习第16天
  • 一些常见网络安全术语
  • nodejs+mysql+vue3 应用实例剖析
  • 使用nossl模式连接MySQL数据库详解
  • 解决Windows远程桌面 “为安全考虑,已锁定该用户账户,原因是登录尝试或密码更改尝试过多。请稍后片刻再重试,或与系统管理员或技术支持联系“问题
  • (void*) 是啥意思
  • 【Vue】为什么 Vue 不使用 React 的分片更新?
  • 重置linux后vscode无法再次使用ssh连接
  • C# HttpClient请求URL重定向后丢失Authorization认证头
  • 基于RustDesk自建远程桌面服务
  • 0基础学前端 day9--css布局
  • UI设计师面试整理-团队合作与沟通能力
  • 深度学习·wandb
  • 自然语言处理问答系统技术
  • html5 + css3(下)
  • STL容器适配器
  • OpenCV 形态学相关函数详解及用法示例
  • 字符串逆序
  • 滚雪球学MySQL[3.3讲]:MySQL复杂查询详解:CASE语句、自连接与视图管理
  • OpenCV视频I/O(11)视频采集类VideoCapture之设置视频捕获设备的属性函数 set()的使用
  • Go语言入门:掌握基础语法与核心概念
  • 决策树的损失函数公式详细说明和例子说明
  • JS+HTML基础
  • 小徐影院:探索Spring Boot的影院管理
  • 您的计算机已被Lockbit3.0勒索病毒感染?恢复您的数据的方法在这里!