【API安全】crAPI靶场全解

news/2024/12/21 20:28:08/

目录

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

Challenge 2 - Access mechanic reports of other users

Broken User Authentication

Challenge 3 - Reset the password of a different user

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

Challenge 5 - Find an API endpoint that leaks an internal property of a video

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

BFLA

Challenge 7 - Delete a video of another user

Mass Assignment

Challenge 8 - Get an item for free

Challenge 9 - Increase your balance by $1,000 or more

​编辑

Challenge 10 - Update internal video properties

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens


似乎只能本地访问,所以直接windows本机部署了: 

GitHub - OWASP/crAPI: completely ridiculous API (crAPI)

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.

  • Find an API endpoint that receives a vehicle ID and returns information about it.

 

 Community里随便访问用户

 抓包拿到其vehicleid

记录一下敏感信息 

nickname: "Robot", email: "robot001@example.com", vehicleid: "ec9c90c0-8647-47f7-960e-4d0012cec600"
nickname: "Pogba", email: "pogba006@example.com", vehicleid: "8104792f-a7a2-44ae-ba99-d8a5de8ae8f6"
nickname: "Adam", email: "adam007@example.com", vehicleid: "887eb746-2d93-4373-8b93-56f1cd7dbd51"

访问8025端口的车辆邮件

 获取车辆

刷新定位,抓包

带着前面信息泄露的vehcileid访问即可

Challenge 2 - Access mechanic reports of other users

crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process

  • Find an hidden API endpoint that exposes details of a mechanic report

  • Change the report ID to access other reports

 提交维修报告,抓包

 返回了一个查看报告的url

 访问

修改report_id查看其它用户提交的维修报告

 

Broken User Authentication

Challenge 3 - Reset the password of a different user

  • Find an email address of another user on crAPI

  • Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.

 修改密码

提交,抓包 

 

 可以填入泄露的邮箱&爆破OTP

 opt爆多了会拒绝访问

 将v3改为v2,用历史api爆破

修改他人密码成功 

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

challenge1的community界面抓包后forward即可批量读取敏感信息

/community/api/v2/community/posts/recent?limit=30&offset=0

 

Challenge 5 - Find an API endpoint that leaks an internal property of a video

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.

个人信息可以上传视频,抓包

  

 请求

/identity/api/v2/user/videos/6

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

 

 

将失败后重新请求选项打开,请求次数设置为大数,并将mechanic_code改为错误的

BFLA

Challenge 7 - Delete a video of another user

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos

  • Delete a video of someone else

注意RESTful风格预测性 

将challenge 6视频信息泄露的GET方法改成DELETE方法,发现需要admin

将/identity/api/v2/user/videos/6改成/identity/api/v2/admin/videos/6

 

Mass Assignment

Challenge 8 - Get an item for free

crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

  • Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.

 

查看订单细节,抓包 

PUT方法修改quantity(数量)

 

成功零元购了一个商品 

 

 

 

Challenge 9 - Increase your balance by $1,000 or more

After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.

增加数量,测试出可以将status修改为已退款returned 

 

令status为returned 

成功爆金币 

 

Challenge 10 - Update internal video properties

After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

 和challenge5一样,先上传一个视频,GET方法请求信息

 PUT修改文件名

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

和challenge 6的接口一样

将 mechanic_api 的值改为http://google.com

成功SSRF

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

靶场的nosql数据库是mongodb

抓包

payload:

{"coupon_code": {"$ne": "test"}}

返回所有 coupon_code 值不为 test的数据,拿到优惠券的code为TRAC075

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

 sql数据库用的是pgsql

先验证 TRAC075

抓包,再forward,看到

payload:

{"coupon_code":"1'or '1'='1","amount":75}

 

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

/workshop/api/shop/orders/1

 

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.

jdk21环境下下载JWT Editor插件

dashboard处抓包forward访问到/identity/api/v2/user/dashboard

可以看到插件已经识别到Authorization请求头里的jwt

repeater中可以看到JSON WEB TOKEN选项

选用空算法伪造攻击 

 

伪造邮箱,成功越权 


http://www.ppmy.cn/news/1534053.html

相关文章

Ps:将画板导出到 PDF

菜单:文件/导出/将画板导出到 PDF Export/Artboards to PDF 将画板导出到 PDF Artboards to PDF命令用于将 Photoshop 的画板导出为 PDF 文件,提供了多种导出选项,可以控制文件的压缩、是否嵌入颜色配置文件、文件命名以及页面顺序等。它适用…

Python中的机器学习:从入门到实战

机器学习是人工智能领域的一个重要分支,它通过构建模型来使计算机从数据中学习并做出预测或决策。Python凭借其丰富的库和强大的生态系统,成为了机器学习的首选语言。本文将从基础到实战,详细介绍如何使用Python进行机器学习,涵盖…

滚雪球学MySQL[3.2讲]:MySQL聚合函数与分组详解:COUNT、SUM、AVG、MAX、MIN及GROUP BY与HAVING

全文目录: 前言3.2 聚合函数与分组1. COUNT、SUM、AVG、MAX、MIN等常用聚合函数1.1 COUNT函数基本语法示例1:统计学生表中的总记录数示例2:统计特定条件下的记录数 1.2 SUM函数基本语法示例1:计算总成绩 1.3 AVG函数基本语法示例1…

[每周一更]-(第117期):硬盘分区表类型:MBR和GPT区别

文章目录 1. **支持的磁盘容量**2. **分区数量**3. **引导方式**4. **冗余和数据恢复**5. **兼容性**6. **安全性**7. **操作系统支持**8. 对比 国庆假期前补一篇 在一次扫描机械硬盘故障的问题,发现我本机SSD和机械硬盘的分类型不一样,分别是GPT和MBR&a…

从0学习React(1)

上次在写关于index.tsx的解析的文章的时候,写着写着我突然发现文章太长了,以至于我把代码的很多细节都给忽略掉,只把index.tsx文件的大致结构给写了出来。所以接下来的几篇文章,我将会把index.tsx分成很多个部分,我争取…

知识图谱入门——6:Cypher 查询语言高级组合用法(查询链式操作、复杂路径匹配、条件逻辑、动态模式创建,以及通过事务控制和性能优化处理大规模数据。

在熟悉 Cypher 的基本操作后,复杂查询场景中的高级用法可以帮助你充分利用 Neo4j 图数据库的强大功能。这些组合用法涉及查询链式操作、复杂路径匹配、条件逻辑、动态模式创建,以及通过事务控制和性能优化处理大规模数据。 文章目录 1. 使用 WITH 管道式…

Qt C++设计模式->责任链模式

责任链模式(Chain of Responsibility Pattern)是一种行为型设计模式,它允许多个对象有机会处理请求,而不需要明确指定哪个对象处理。通过将这些对象连成一条链,请求沿着链传递,直到有对象处理它为止。该模式…

长期提供APX515/B原装二手APX525/B音频分析仪

Audio Precision APx515 是一款针对生产测试而优化的高性能音频分析仪。它因其速度、性能、自动化和易用性而成为一流的仪器。它具有卓越的性能,具有 –106 dB 的典型 THDN、1M 点 FFT 和 192k 数字 I/O,以及所有 APx 系列音频分析仪的一键式自动化和易用…