Hey everyone, welcome to pentestguy. I am back with a new article on API testing, this is nothing but a simple walkthrough for VAmPI – vulnerable API with owasp API top 10 vulnerabilities.
What is VamPI?
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs.It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes.
If you don’t have any knowledge of how to set up VAmPI and other tools like postman along with owasp zap or burp suite, do check out this article – https://pentestguy.com/how-to-do-api-pentesting-using-zap-and-postman/ watch my videos on youtube for better understanding.
Broken Object Level Authorization (BOLA) / IDOR (Insecure Direct Object Reference)
API tends to access the book information using parameter, which is book_title = api-pentesting, and in response, the user will book information along with the secret. If the api does not have proper authorization checks then an attacker can able to access other user’s data.
Login user account and create a new book, then try to access the book information using the book title.
Now if the user tries to access the data by using another input.
The same with username parameter like username=name1which provide user data, If the API does not have proper authorization checks then an attacker can able to access other users’ data. In this example, we are not getting any sensitive information.
Now if the user tries to access the data by using another input.
SQL Injection
API not validating user inputs due to that malicious users can able to inject malicious code. In this case, the username parameter is unable to validate the user inputs.
In any code injection the first step is to check whether we are able to inject the code or not then can try to leverage it in different ways.
In the above image, we got sql error which means can inject the sql code, for this example I am using sqlmap.
Unauthorized Password Change
API tends to change the password based on the username, here the username value is in the URL, and the password is in the post body.
In some cases both will be in the same post body, such scenarios include IDOR/BOLA.
Do the login first and then use the password change option to change another user’s password.
Excessive Data Exposure
Insecure endpoints in API which are not required any authentication or authorization to access the data due to that a malicious user can able to access other users’ data or authorized data.
In this case, there is an endpoint named debug which exposes the whole data.
Mass Assignment
The developer may leave some private functionality open to the public like anyone can able to create an admin account. If this kind of functionality is there then the malicious user can leverage it.
Create an admin user using hidden functionality admin=true
To check whether the account is admin or not try to delete another user account via login in the admin account we created in the above step.
Rate Limiting
In most APIs, rate limits pose a common issue, typically present in authentication methods involving usernames, passwords, and OTPs. Failure to implement a rate limit on specific endpoints can allow attackers to exploit this vulnerability.
These all are the main issues of the VAmpi walkthrough, hope you guys like it. please feel free to explore more issues and add them to the comment below. Thank you!!
