API9:2023 Improper Inventory Management
today i will talk about this API vulnerability and the steps to find it by Solving lab from CRAPI (vulnerable API application )
Last updated
today i will talk about this API vulnerability and the steps to find it by Solving lab from CRAPI (vulnerable API application )
Last updated
It's nothing new, but I liked the idea of this lab during study Api Penetration Testing Cource from Api University Platform, , so I will try to explain it step by step in a simple way and i will
Vulnerability in OWASP API :
API University Course :
Vulnerable Application : you can use it online or Download it local
it's a Vulnerability found when application still using API out of date/old versions of APIs. it happen when you upgrade from version 3 to version 4 but leave the old version
attacker discover unsupported and non-production versions of an API during Reconnaissance ( all of the APIs that are running, all the endpoints, versions, older versions, who's accessing them )
like our API has update to Version 3 and some end points still use Version 2 like :
api.target.com/v3
/api/v2/accounts
/api/v3/accounts
/v2/accounts
API versioning could also be maintained as a header:
Accept: version=2.0
Accept API-version=3
Non-production versions of an API include any version of the API that wasn’t meant for end-user consumption مش متخصص للاستخدام للمستخدم العادي (نسخه تجريبيه)
api.test.target.com
api.uat.target.com
beta.api.com
/api/private
/api/partner
/api/test
fuzzing requests in our Postman collection to sort version we have
configure a test using the Collection Editor
select Collection and choose edit
add this script to know which request has been successfully received :
pm.test("Status code is 200", function () { pm.response.to.have.status(200); })
choose run collection option ⇒ remove requests that doesn’t have version number
remove the token to Run an unauthenticated baseline scan of the crAPI collection
when we make a test with non authentication we get failed in all requests
create a new environment
create a variable give it value v1 in initial value and current value
"Find and Replace" all requests with v2 and replace the all to our variable {{ver}} ( v1 )
to turn the collection's current versions into a variable
put variable name between{{ }} like {{ver}} and choose select all to replace it in all requests
after run i found that the v3 get error 404
let’s change the current value to V2 and run again OTP request with replace version to 1 get ⇒ internal server error 500
let’s try 2 times by give the real version with 2 request ⇒ first with v2 and second with v3
this is the worst thing because we can use Unsupported Version ⇒ we get success
when we try to many time to enter OTP in v3 account locked then we can’t do brute force
but in V2 Brute force is available and account didn’t lock ⇒ this is the vulnerability
let’s enable the burp proxy from postman by ⇒ by enter setting then ⇒ add custom proxy and put same ip and port for burp
grep “Invalid” word because the correct OTP give same response 500 but different error
let’s check our mail of CRAPI platform
it’s the same and here we success let’s try it with Wfuzz tool to make a brute Force Then send Post request with the new OTP & new Password :
wfuzz -d '{"[k](mailto:email%22:%22hapihacker@email.com)ero@kero.com", "otp":"FUZZ","password":"NewPassword1"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/SecLists-master/Fuzzing/4-digits-0000-9999.txt -u [http://crapi.apisec.ai/identity/api/auth/v2/check-otp](http://crapi.apisec.ai/identity/api/auth/v2/check-otp) --hc 500
here we Success in login
