Skip to content

Exploiting-Authorization.md

Latest commit

 

History

History
87 lines (46 loc) · 3.71 KB

Exploiting-Authorization.md

File metadata and controls

87 lines (46 loc) · 3.71 KB

Exploiting-Authorization

Exploiting API Authorization

Introduction to Exploiting API Authorization

Broken Object Level Authorization - BOLA

Finding Resource IDs and Requests in samples: The bold resource IDs in the following API requests should catch your attention:

  • GET /api/resource/1
  • GET /user/account/find?user_id=15
  • POST /company/account/Apple/balance
  • POST /admin/pwreset/account/90

In these instances, you can probably guess other potential resources, like the following, by altering the bold values:

  • GET /api/resource/3
  • GET /user/account/find?user_id=23
  • POST /company/account/Google/balance
  • POST /admin/pwreset/account/111

Authorization Testing Strategy

When searching for authorization vulnerabilities the most effective way to find authorization weaknesses is to create two accounts and perform A-B testing. The A-B testing process consists of:

  1. Create a UserA account.
  2. Use the API and discover requests that involve resource IDs as UserA.
  3. Document requests that include resource IDs and should require authorization.
  4. Create a UserB account.
  5. Obtaining a valid UserB token and attempt to access UserA's resources.

Broken Function Level Authorization

BFLA - Broken Function Level Authorization

Where BOLA is all about accessing resources that do not belong to you, BFLA is all about performing unauthorized actions.
BFLA vulnerabilities are common for requests that perform actions of other users.
These requests could be lateral actions or escalated actions.
Lateral actions are requests that perform actions of users that are the same role or privilege level.
Escalated actions are requests that perform actions that are of an escalated role like an administrator.
The main difference between hunting for BFLA is that you are looking for functional requests.

Example in request to get user video, and changing the user in path to admin, reveal new function path: /identity/api/v2/admin/videos/153

crapi-broken-function-level-authorization.png

Change to DELETE http verb allows the deletion of videos for any user on the target, using Burp Intruder, with number payload to find all video id number.

crapi-dangerous-broken-function-level-authorization.png

Regarding API authorization, a successful BOLA attack could give you the ability to, See another user's account balance.

Regarding API authorization, a successful BFLA attack could give you the ability to, Transfer funds from a user's account

Attacking API Authorization

Exploiting API Authorization Assessment

Answers: vAPI database field values vapi.sql script content

When attacking http://vapi.apisec.ai/vapi/api1, which user and flag combination can you compromise with a BOLA attack?

  • Michael Scott + api1_d0cd9be2324cc237235b

When attacking http://vapi.apisec.ai/vapi/api1, which course is Meredith Palmer enrolled in?

  • The Subtle art of not giving a F

When attacking http://vapi.apisec.ai/vapi/api1, what is the user ID of Jim Halpert?

  • 4