目录
Challenge 1 - Access details of another user’s vehicle
Challenge 2 - Access mechanic reports of other users
Challenge 3 - Reset the password of a different user
Challenge 4 - Find an API endpoint that leaks sensitive information of other users
Challenge 5 - Find an API endpoint that leaks an internal property of a video
Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature
Challenge 7 - Delete a video of another user
Challenge 8 - Get an item for free
Challenge 9 - Increase your balance by $1,000 or more
Challenge 10 - Update internal video properties
Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.
Challenge 12 - Find a way to get free coupons without knowing the coupon code.
Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database
Challenge 14 - Find an endpoint that does not perform authentication checks for a user.
Challenge 15 - Find a way to forge valid JWT Tokens
似乎只能本地访问,所以直接windows本机部署了:
GitHub - OWASP/crAPI: completely ridiculous API (crAPI)
BOLA Vulnerabilities
Challenge 1 - Access details of another user’s vehicle
To solve the challenge, you need to leak sensitive information of another user’s vehicle.
Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.
Find an API endpoint that receives a vehicle ID and returns information about it.
Community里随便访问用户
抓包拿到其vehicleid
记录一下敏感信息
nickname: "Robot", email: "[email protected]", vehicleid: "ec9c90c0-8647-47f7-960e-4d0012cec600"
nickname: "Pogba", email: "[email protected]", vehicleid: "8104792f-a7a2-44ae-ba99-d8a5de8ae8f6"
nickname: "Adam", email: "[email protected]", vehicleid: "887eb746-2d93-4373-8b93-56f1cd7dbd51"
访问8025端口的车辆邮件
获取车辆
刷新定位,抓包
带着前面信息泄露的vehcileid访问即可
Challenge 2 - Access mechanic reports of other users
crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.
Analyze the report submission process
Find an hidden API endpoint that exposes details of a mechanic report
Change the report ID to access other reports
提交维修报告,抓包
返回了一个查看报告的url
访问
修改report_id查看其它用户提交的维修报告
Broken User Authentication
Challenge 3 - Reset the password of a different user
Find an email address of another user on crAPI
Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.
修改密码
提交,抓包
可以填入泄露的邮箱&爆破OTP
opt爆多了会拒绝访问
将v3改为v2,用历史api爆破
修改他人密码成功
Excessive Data Exposure
Challenge 4 - Find an API endpoint that leaks sensitive information of other users
challenge1的community界面抓包后forward即可批量读取敏感信息
/community/api/v2/community/posts/recent?limit=30&offset=0
Challenge 5 - Find an API endpoint that leaks an internal property of a video
In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.
个人信息可以上传视频,抓包
请求
/identity/api/v2/user/videos/6
Rate Limiting
Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature
将失败后重新请求选项打开,请求次数设置为大数,并将mechanic_code改为错误的
BFLA
Challenge 7 - Delete a video of another user
Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos
Delete a video of someone else
注意RESTful风格预测性
将challenge 6视频信息泄露的GET方法改成DELETE方法,发现需要admin
将/identity/api/v2/user/videos/6改成/identity/api/v2/admin/videos/6
Mass Assignment
Challenge 8 - Get an item for free
crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.
- Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.
查看订单细节,抓包
PUT方法修改quantity(数量)
成功零元购了一个商品
Challenge 9 - Increase your balance by $1,000 or more
After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.
增加数量,测试出可以将status修改为已退款returned
令status为returned
成功爆金币
Challenge 10 - Update internal video properties
After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.
和challenge5一样,先上传一个视频,GET方法请求信息
PUT修改文件名
SSRF
Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.
和challenge 6的接口一样
将 mechanic_api 的值改为http://google.com
成功SSRF
NoSQL Injection
Challenge 12 - Find a way to get free coupons without knowing the coupon code.
靶场的nosql数据库是mongodb
抓包
payload:
{"coupon_code": {"$ne": "test"}}返回所有 coupon_code 值不为 test的数据,拿到优惠券的code为TRAC075
SQL Injection
Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database
sql数据库用的是pgsql
先验证 TRAC075
抓包,再forward,看到
payload:
{"coupon_code":"1'or '1'='1","amount":75}
Unauthenticated Access
Challenge 14 - Find an endpoint that does not perform authentication checks for a user.
/workshop/api/shop/orders/1
JWT Vulnerabilities
Challenge 15 - Find a way to forge valid JWT Tokens
JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.
jdk21环境下下载JWT Editor插件
dashboard处抓包forward访问到/identity/api/v2/user/dashboard
可以看到插件已经识别到Authorization请求头里的jwt
repeater中可以看到JSON WEB TOKEN选项
选用空算法伪造攻击
伪造邮箱,成功越权
