# API9:2023 Improper Inventory Management It's nothing new, but I liked the idea of this lab during study Api Penetration Testing Cource from Api University Platform, , so I will try to explain it step by step in a simple way and i will * Vulnerability in OWASP API : [https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management](https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/) * API University Course : * Vulnerable Application : you can use it online or Download it local ## API9:2023 Improper Inventory Management * it's a Vulnerability found when application still using API out of date/old versions of APIs. it happen when you upgrade from version 3 to version 4 but leave the old version * attacker `discover unsupported` and non-production `versions` of an API during Reconnaissance ( all of the APIs that are running, all the endpoints, versions, older versions, who's accessing them ) ## **Common endpoints you can find During Recon :** * like our API has update to `Version 3` and some end points still use `Version 2` like : * api.target.com/v3 * /api/`v2`/accounts * /api/`v3`/accounts * /`v2`/accounts * API versioning could also be maintained as a header: * *Accept: `version=2.0`* * *Accept `API-version=3`* * `Non-production versions` of an API include any version of the API that wasn’t meant for end-user consumption مش متخصص للاستخدام للمستخدم العادي (نسخه تجريبيه) * api.test.target.com * api.uat.target.com * beta.api.com * /api/private * /api/partner * /api/test ### Scenario ( Use Old Version of Api to Brute Force OTP Code ) 1. fuzzing requests in our Postman collection to sort version we have

2. configure a test using the Collection Editor 1. select Collection and choose edit 2. add this script to know which request has been successfully received : 1. `pm.test("Status code is 200", function () { pm.response.to.have.status(200); })` 3. choose run collection option ⇒ remove requests that `doesn’t have version number` 4. remove the token to Run an unauthenticated baseline scan of the crAPI collection

3. when we make a test with non authentication we get failed in all requests

4. create a new environment 1. `create a variable give it value v1` in initial value and current value

5. `"Find and Replace"` all requests with `v2` and replace the all to our variable `{{ver}}` ( v1 ) 1. to turn the collection's current versions into a variable 2. put variable name between`{{ }}` like `{{ver}}` and choose select all to replace it in all requests

6. after run i found that the v3 get error 404

7. let’s change the current value to `V2` and run again `OTP request` with replace version to 1 get ⇒ internal server error `500`

8. let’s try 2 times by give the real version with 2 request ⇒ first with v2 and second with v3

9. this is the worst thing because we can use `Unsupported Version` ⇒ we get success 10. when we try to many time to enter `OTP in v3` account locked then we can’t do `brute force`

11. but in `V2 Brute force is available` and account didn’t lock ⇒ this is the vulnerability 12. let’s enable the burp proxy from postman by ⇒ by enter setting then ⇒ add custom proxy and put same ip and port for burp 13. grep “`Invalid`” word because the correct OTP give same response 500 but different error

14. let’s check our mail of CRAPI platform\

15. it’s the same and here we success let’s try it with Wfuzz tool to make a brute Force Then send Post request with the new OTP & new Password : 1. `wfuzz -d '{"[k](mailto:email%22:%22hapihacker@email.com)ero@kero.com", "otp":"FUZZ","password":"NewPassword1"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/SecLists-master/Fuzzing/4-digits-0000-9999.txt -u [http://crapi.apisec.ai/identity/api/auth/v2/check-otp](http://crapi.apisec.ai/identity/api/auth/v2/check-otp) --hc 500`

16. here we Success in login