Hello everyone! Welcome to pentestguy, we are back to the second part of the Vapi – Vulnerable API penetration testing walkthrough. In this section, we will explore the remaining vulnerabilities present in the vapi vulnerable API and discuss the steps to exploit them in this walkthrough.
If you haven’t check the part one of vAPI Vulnerable API walkthrough click here.
What is vAPI Vulnerable API?
vAPI is Vulnerable Adversely Programmed Interface which is self hostable api. It is an intentionally vulnerable API designed for testing and learning purposes. The simplest way to set it up is by using Docker, making it easy for you to follow along and practice on your own.
API6 – Mass Assignment
Mass assignment can be a hidden functionality in an application, and in this scenario, it involves credit management with an initial credit value of zero for a normal user. However, we can exploit the mass assignment vulnerability by adding credit at the time of creating a user, thereby obtaining a flag.
Create a normal user without specifying any credit value.
Check the user’s details and note that the credit is set to zero.
Exploit the mass assignment vulnerability by creating another user and include a credit value during user creation to increase the credit.
Retrieve the flag by fetching the user details of the newly created user, which should now reflect the increased credit value.
API7 – Security Misconfiguration
Security misconfigurations often accompany Cross-Origin Resource Sharing (CORS) misconfigurations. In this scenario, we can take advantage of the misconfiguration to obtain a flag.
Create a user.
login using the appropriate endpoint.
Access the “get key” endpoint, where we don’t need to use a CORS proof of concept (POC) to exploit the vulnerability. Simply provide an “origin” header in the request, and the API will respond with the flag.
API8 – Injection
Injection vulnerabilities are common issues in web applications and APIs. In this scenario, we have a login endpoint where we can attempt SQL injection (SQLi) or bypass techniques to retrieve sensitive data. Use Sqli authentication bypass cheat sheet – https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
Identify the login endpoint and attempt SQL injection or bypass techniques to gain unauthorized access.
After successfully obtaining unauthorized access, access the “get secret” endpoint to retrieve the flag.
API9 – Improper Asset Management
Improper asset management can lead to security issues when outdated or vulnerable versions of APIs are still accessible. In this case, the API has multiple versions (e.g., v1 and v2), and the v1 version is known to have security flaws.
Capture the request in the burp and send it to the intruder.
Clear and replace v2 with v1 and select the pin value and move to the payload section.
API10 – Insecure Logging and Monitoring
Insecure logging exposes sensitive data in public logs due to misconfigurations. In this challenge, the “get flag” endpoint is vulnerable to insecure logging.
Access the “get flag” endpoint and observe the logs for any sensitive data being exposed.
Extra Challenges:
JuskWeakToken (JWT Token Manipulation):
Objective: Change the user role in the JWT token from “user” to “admin” and use it to access the “get user” endpoint to obtain the flag.
1 . Create a normal user using the appropriate endpoint of the API.
Upon successful user creation, the API will generate a JWT token containing user role information (e.g., “user” role).
Copy the JWT token and navigate to jwt.io.
Paste the JWT token into the “Encoded” section on jwt.io.
In the “Payload” section, look for the “role” field (assuming the token contains this field) and change its value from “user” to “admin.”
Save the modified JWT token.
Use the modified JWT token as an Authorization header in the request to the “get user” endpoint.
The API should now treat you as an admin user, granting access to the “get user” endpoint and providing the flag.
ServerSurfer (SSRF Exploitation):
Objective: Exploit Server-Side Request Forgery (SSRF) by providing a malicious URL parameter to the “get data” endpoint, leading to data exfiltration.
Send the crafted URL as a parameter to the “get data” endpoint.
Analyze the burp collaborator.
StickyNotes (Stored XSS):
Objective: Exploit stored Cross-Site Scripting (XSS) by saving a note with a simple XSS payload and retrieving the note to execute the payload and obtain the flag.
Use the “store note” endpoint to save a note containing a simple XSS payload.
Use the “get note” endpoint, the API will likely render the note without proper XSS protection, executing the XSS payload in the process.
The XSS payload should trigger an alert box with the value “1,” indicating successful exploitation. Additionally, the flag might be included in the response or visible within the XSS payload execution.
In this walkthrough, we covered various API vulnerabilities and explored the steps to exploit them to retrieve flags. I hope you enjoyed this blog post and found it informative. Feel free to share it with your friends and colleagues. If you have any questions or suggestions, please leave them in the comments section below.