Hello everyone! Welcome to pentestguy. In this two-part post which is walkthrough for vapi vulnerable api, we will focus on five challenging API vulnerabilities and how to exploit them. So, let’s dive right in!
What is vAPI?
vAPI is Vulnerable Adversely Programmed Interface which is self hostable api. It is an intentionally vulnerable API designed for testing and learning purposes. The simplest way to set it up is by using Docker, making it easy for you to follow along and practice on your own.
Installing vAPI Vulnerable API via Docker:
To get started, follow these simple steps to install vapi vulnerable api using Docker:
Install Docker: If you don’t have Docker installed on your system, download and install it from the official Docker website for your operating system.
Clone the Vapi Repository: Open a terminal or command prompt and run the following command to clone or download the Vapi repository:
git clone https://github.com/roottusk/vapi.git
Pull and Run the Vapi Container: Go to the Vapi directory and run the command given below. Make sure to install docker-compose also before running the below command.
docker-compose up -d
API 1 – BOLA (Broken Object Level Authorization):
BOLA, or IDOR (Insecure Direct Object References), is a critical API vulnerability. It allows a malicious user to access other users’ data by simply changing the user ID in the URL.
Create an Account:
To start, we need to create an account using the “Create User” API call. Once successful, we’ll receive cookies for authentication.
Verify the cookies in the environment:
After creating the user, verify whether the cookies are present in the environment.
Exploiting the Vulnerability:
Next, let’s explore the “Get User” endpoint. By manipulating the user ID in the URL, an attacker can retrieve data belonging to other users.
Unauthorized Data Access:
The “Get User” endpoint is vulnerable, enabling attackers to get any user’s data, leading to unauthorized read operation.
Unauthorized Data Update:
Additionally, the “Update User” endpoint is vulnerable, enabling attackers to modify any user’s data, leading to unauthorized read and write operations.
API 2 – Broken Authentication:
Broken Authentication occurs when authentication mechanisms are flawed, granting unauthorized access to user accounts. For this challenge, we discover that the user login endpoint lacks proper rate limiting.
Credentials in creds.csv:
In the “Resources” folder, we find a creds.csv file containing the email address and password of a test user.
Intercept the Login request:
Add burp proxy to Postman and intercept the login request with dummy credentials.
Set payload & Payload processing:
In Payload Set 1, load the creds.csv and use a payload processing rule (Match/Replace) to add a new rule Match regex: ,.* and leave Replace blank. Make sure that the payload URL encoding option should be unchecked.
Set payload & Payload processing:
In Payload Set 2, load the creds.csv and use a payload processing rule (Match/Replace) to add a new rule Match regex: .*, and leave Replace blank. Make sure that the payload URL encoding option should be unchecked.
Start Intruder:
Start the attack and wait until it finishes and sort out the result via status code or length.
Use Token/Cookie:
Use the token from the correct login in the “Get Details” endpoint and retrieve the flag.
API 3 – Sensitive Data Exposure:
Sensitive Data Exposure happens when data is accessible without proper authorization. In this challenge, we create a new user and install an APK file on an Android device to identify and secure sensitive data.
Creating a New User:
Start by creating a new user through Postman, providing us with the required credentials.
Installing APK File:
Locate the APK file in the “Resources” folder and install it on an Android device (physical or virtual) to investigate if it exposes any sensitive data. Make sure to provide the base URL of the application where ever it is running.
Comment functionality:
Provide the login credentials which were created in create user step and got comment functionality. Try to comment on something random.
Check BurpSuite:
After logging in or commenting, check Burp Suite for endpoints and found the /comment endpoint, which is vulnerable to sensitive data exposure. In this case, you should be able to get another user’s data along with the flag.
API 4 – Lack of Resources and Rate Limiting:
Lack of Resources and Rate Limiting allows attackers to abuse certain API endpoints without restrictions. In this challenge, we authenticate via mobile number and OTP, using Burp Intruder to perform a brute-force attack on the OTP.
Authenticate with Mobile Number:
Initiate the login process by providing the mobile number, which will trigger an OTP sent to the registered mobile device.
Brute-Force the OTP:
Use Burp Intruder to systematically try different OTP combinations (0000 to 9999) with the setting given below.
From: 0000
To: 9999
Step: 1
Min integer digits: 4
Max integer digits: 4
Min fraction digits: 0
Max fraction digits: 0
Start attack:
Start Intruder until the correct one is found, granting access to the user’s details.
Use Token/Cookie:
Use the token from the correct login in the “Get Details” endpoint and retrieve the flag.
API 5 – Broken Function Level Authorization:
Broken Function Level Authorization occurs when different roles within an application have varying privileges. This challenge involves creating a normal user and using the “Get User” endpoint to access admin functionality.
Create a Normal User:
Begin by creating a new user with standard user privileges using the appropriate API endpoint.
Get details:
After creating the user, access the user’s details using the “Get Details” endpoint.
Exploiting the Vulnerability:
Analyze the “Get User” endpoint to identify any missing authorization checks, allowing us to manipulate the endpoint and access admin functionalities. After a few attempts, you should be able to get all users’ details with the “/users” endpoint.
Throughout these challenges, we learned how to identify and exploit various API vulnerabilities, including BOLA, Broken Authentication, Sensitive Data Exposure, Lack of Resources and Rate Limiting, and Broken Function Level Authorization.
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
