首页 > 其他分享 >【API安全】crAPI靶场全解

【API安全】crAPI靶场全解

时间:2024-09-27 13:22:33浏览次数:11  
标签:endpoint Challenge crAPI API user way 全解 Find

目录

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

Challenge 2 - Access mechanic reports of other users

Broken User Authentication

Challenge 3 - Reset the password of a different user

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

Challenge 5 - Find an API endpoint that leaks an internal property of a video

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

BFLA

Challenge 7 - Delete a video of another user

Mass Assignment

Challenge 8 - Get an item for free

Challenge 9 - Increase your balance by $1,000 or more

​编辑

Challenge 10 - Update internal video properties

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens


似乎只能本地访问,所以直接windows本机部署了: 

GitHub - OWASP/crAPI: completely ridiculous API (crAPI)

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.

  • Find an API endpoint that receives a vehicle ID and returns information about it.

 

 Community里随便访问用户

 抓包拿到其vehicleid

记录一下敏感信息 

nickname: "Robot", email: "[email protected]", vehicleid: "ec9c90c0-8647-47f7-960e-4d0012cec600"
nickname: "Pogba", email: "[email protected]", vehicleid: "8104792f-a7a2-44ae-ba99-d8a5de8ae8f6"
nickname: "Adam", email: "[email protected]", vehicleid: "887eb746-2d93-4373-8b93-56f1cd7dbd51"

访问8025端口的车辆邮件

 获取车辆

刷新定位,抓包

带着前面信息泄露的vehcileid访问即可

Challenge 2 - Access mechanic reports of other users

crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process

  • Find an hidden API endpoint that exposes details of a mechanic report

  • Change the report ID to access other reports

 提交维修报告,抓包

 返回了一个查看报告的url

 访问

修改report_id查看其它用户提交的维修报告

 

Broken User Authentication

Challenge 3 - Reset the password of a different user

  • Find an email address of another user on crAPI

  • Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.

 修改密码

提交,抓包 

 

 可以填入泄露的邮箱&爆破OTP

 opt爆多了会拒绝访问

 将v3改为v2,用历史api爆破

修改他人密码成功 

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

challenge1的community界面抓包后forward即可批量读取敏感信息

/community/api/v2/community/posts/recent?limit=30&offset=0

 

Challenge 5 - Find an API endpoint that leaks an internal property of a video

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.

个人信息可以上传视频,抓包

  

 请求

/identity/api/v2/user/videos/6

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

 

 

将失败后重新请求选项打开,请求次数设置为大数,并将mechanic_code改为错误的

BFLA

Challenge 7 - Delete a video of another user

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos

  • Delete a video of someone else

注意RESTful风格预测性 

将challenge 6视频信息泄露的GET方法改成DELETE方法,发现需要admin

将/identity/api/v2/user/videos/6改成/identity/api/v2/admin/videos/6

 

Mass Assignment

Challenge 8 - Get an item for free

crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

  • Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.

 

查看订单细节,抓包 

PUT方法修改quantity(数量)

 

成功零元购了一个商品 

 

 

 

Challenge 9 - Increase your balance by $1,000 or more

After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.

增加数量,测试出可以将status修改为已退款returned 

 

令status为returned 

成功爆金币 

 

Challenge 10 - Update internal video properties

After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

 和challenge5一样,先上传一个视频,GET方法请求信息

 PUT修改文件名

SSRF

Challenge 11 - Make crAPI send an HTTP call to "www.google.com" and return the HTTP response.

和challenge 6的接口一样

将 mechanic_api 的值改为http://google.com

成功SSRF

NoSQL Injection

Challenge 12 - Find a way to get free coupons without knowing the coupon code.

靶场的nosql数据库是mongodb

抓包

payload:

{"coupon_code": {"$ne": "test"}}

返回所有 coupon_code 值不为 test的数据,拿到优惠券的code为TRAC075

SQL Injection

Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database

 sql数据库用的是pgsql

先验证 TRAC075

抓包,再forward,看到

payload:

{"coupon_code":"1'or '1'='1","amount":75}

 

Unauthenticated Access

Challenge 14 - Find an endpoint that does not perform authentication checks for a user.

/workshop/api/shop/orders/1

 

JWT Vulnerabilities

Challenge 15 - Find a way to forge valid JWT Tokens

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.

jdk21环境下下载JWT Editor插件

dashboard处抓包forward访问到/identity/api/v2/user/dashboard

可以看到插件已经识别到Authorization请求头里的jwt

repeater中可以看到JSON WEB TOKEN选项

选用空算法伪造攻击 

 

伪造邮箱,成功越权 

标签:endpoint,Challenge,crAPI,API,user,way,全解,Find
From: https://blog.csdn.net/uuzeray/article/details/142487610

相关文章

  • AM05 Workshop 2 - Data acquisition from Spotify API
    AM05Workshop2-DataacquisitionfromSpotifyAPIAM05Workshop2-DataacquisitionfromSpotifyAPIOverviewInthisworkshop,youwilllearnhowto:CreateaSpotifyApp:ObtainthenecessarycredentialstoaccesstheSpotifyAPI.RequestanAcces......
  • APP集成人脸识别接口-C#人脸识别API接口
    人脸识别技术是一种基于生物特征的识别技术,它通过捕捉和分析人脸特征来识别或验证个体身份。这项技术主要依赖于计算机视觉、图像处理和人工智能算法的结合,一般由第三方人工智能接口平台来提供,例如:翔云、阿里云等平台。人脸识别技术的应用可以大大提升身份验证的准确性,减......
  • C#车辆登记证识别API接口集成示例-车辆合格证识别免费的API接口
    车辆登记证识别接口是一种OCR技术,基于深度学习算法,可快速、精准、自动识别车辆登记证上的文字信息。目前,车辆合格证识别的应用场景主要集中在与车辆相关的各类业务流程中,特别是汽车行业、物流运输和车辆管理等领域。1.汽车销售与登记新车上牌:在新车销售过程中,车辆合......
  • 什么是API?
    ##什么是API?API是应用程序编程接口(ApplicationProgrammingInterface)的缩写,它定义了软件组件之间如何相互通信。API充当不同软件间的桥梁,允许应用程序使用另一个应用程序的功能或数据。###API的工作原理-**请求**:客户端(比如一个移动应用或者一个网页)向服务器发送请求。-**......
  • API接口开发实现一键智能化自动抓取电商平台热销商品数据支持高并发免费接入示例
    为了实现一键智能化自动抓取电商平台热销商品数据支持高并发免费接入,你可以使用Python编程语言和相关库(如requests、BeautifulSoup等)来开发一个API接口,也可以使用封装好的api接口获取,注册一个api账号获取key和secret。以下是一个简单的示例:#coding:utf-8"""Compatibleforpytho......
  • 电商API数据接口1688alibaba接口item_search_shop-获得店铺的所有商品接入演示
    一、接口功能item_search_shop接口是1688阿里巴巴提供的获取店铺所有商品的API接口,用户可以通过输入店铺ID,获取该店铺的所有商品信息。二、接口调用请求参数:seller_nick=b2b-2200733087881719de&start_price=0&end_price=0&q=&page=1&cid=参数说明:seller_nick:sid或者加密后的_sopi......
  • Web APIs 4:日期对象、时间戳、节点操作、swiper插件
    WebAPIs4(日期对象、节点操作、swiper插件)1.实例化日期对象获得当前时间:constdate=newDate()获得指定时间:constdata=newDate(‘2024-1-108:30:30’)2.日期对象方法方法作用说明getFullTear()获得年份获取四位年份getMonth()获得月份取值为0~11getDate()获取月......
  • OpenCV视频I/O(3)视频采集类VideoCapture之获取当前使用的视频捕获 API 后端的名称函数
    操作系统:ubuntu22.04OpenCV版本:OpenCV4.9IDE:VisualStudioCode编程语言:C++11算法描述getBackendName函数是OpenCV中VideoCapture类的一个方法,用于获取当前使用的视频捕获API后端的名称。这可以帮助开发者了解当前VideoCapture实例正在使用哪个后端来处理视......
  • Spring Cloud全解析:服务调用之OpenFeign日志打印
    OpenFeign日志打印OpenFeign提供了日志打印功能,可以配置不同级别的日志级别publicenumLevel{//默认,不显示任何日志NONE,//仅记录请求方法、url、响应状态码及执行时间BASIC,//除记录BASIC信息外,还记录请求头和响应头HEADERS,//除了HEADERS信息外,还有请......
  • 玄空飞星 九宫飞星 api接口
    所谓的玄空飞星,其实是一种以理气为主的风水堪舆学说,这种风水学说讲究的是风水随着时间推移的变化,我们研究玄空风水,就是要根据这种变化去改造风水。接口名称:风水-玄空飞星接口平台:https://doc.yuanfenju.com/fengshui/xuankong.html接口地址:https://api.yuanfenju.com/index.php......