【API安全】crAPI靶场全解

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

Challenge 2 - Access mechanic reports of other users

Broken User Authentication

Challenge 3 - Reset the password of a different user

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

Challenge 5 - Find an API endpoint that leaks an internal property of a video

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

BFLA

Challenge 7 - Delete a video of another user

Mass Assignment

Challenge 8 - Get an item for free

Challenge 9 - Increase your balance by $1,000 or more

编辑

Challenge 10 - Update internal video properties

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens

似乎只能本地访问，所以直接windows本机部署了：

GitHub - OWASP/crAPI: completely ridiculous API (crAPI)

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.

Find an API endpoint that receives a vehicle ID and returns information about it.

Community里随便访问用户

抓包拿到其vehicleid

记录一下敏感信息

nickname: "Robot", email: "robot001@example.com", vehicleid: "ec9c90c0-8647-47f7-960e-4d0012cec600"
nickname: "Pogba", email: "pogba006@example.com", vehicleid: "8104792f-a7a2-44ae-ba99-d8a5de8ae8f6"
nickname: "Adam", email: "adam007@example.com", vehicleid: "887eb746-2d93-4373-8b93-56f1cd7dbd51"

访问8025端口的车辆邮件

获取车辆

刷新定位，抓包

带着前面信息泄露的vehcileid访问即可

Challenge 2 - Access mechanic reports of other users

crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.

Analyze the report submission process

Find an hidden API endpoint that exposes details of a mechanic report

Change the report ID to access other reports

提交维修报告，抓包

返回了一个查看报告的url

访问

修改report_id查看其它用户提交的维修报告

Broken User Authentication

Challenge 3 - Reset the password of a different user

Find an email address of another user on crAPI

Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.

修改密码

提交，抓包

可以填入泄露的邮箱&爆破OTP

opt爆多了会拒绝访问

将v3改为v2，用历史api爆破

修改他人密码成功

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

challenge1的community界面抓包后forward即可批量读取敏感信息

/community/api/v2/community/posts/recent?limit=30&offset=0

Challenge 5 - Find an API endpoint that leaks an internal property of a video

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.

个人信息可以上传视频，抓包

请求

/identity/api/v2/user/videos/6

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

将失败后重新请求选项打开，请求次数设置为大数，并将mechanic_code改为错误的

BFLA

Challenge 7 - Delete a video of another user

Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos

Delete a video of someone else

注意RESTful风格预测性

将challenge 6视频信息泄露的GET方法改成DELETE方法，发现需要admin

将/identity/api/v2/user/videos/6改成/identity/api/v2/admin/videos/6

Mass Assignment

Challenge 8 - Get an item for free

crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.

查看订单细节，抓包

PUT方法修改quantity(数量)

成功零元购了一个商品

Challenge 9 - Increase your balance by $1,000 or more

After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.

增加数量，测试出可以将status修改为已退款returned

令status为returned

成功爆金币

Challenge 10 - Update internal video properties

After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

和challenge5一样，先上传一个视频，GET方法请求信息

PUT修改文件名

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

和challenge 6的接口一样

将 mechanic_api 的值改为http://google.com

成功SSRF

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

靶场的nosql数据库是mongodb

抓包

payload:

{"coupon_code": {"$ne": "test"}}

返回所有 coupon_code 值不为 test的数据，拿到优惠券的code为TRAC075

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

sql数据库用的是pgsql

先验证 TRAC075

抓包，再forward，看到

payload:

{"coupon_code":"1'or '1'='1","amount":75}

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

/workshop/api/shop/orders/1

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.

jdk21环境下下载JWT Editor插件

dashboard处抓包forward访问到/identity/api/v2/user/dashboard

可以看到插件已经识别到Authorization请求头里的jwt

repeater中可以看到JSON WEB TOKEN选项

选用空算法伪造攻击

伪造邮箱，成功越权