AP 103: Fuzzing with Postman (20 pts extra)

What You Need

Purpose

To add more requests to the crAPI collection, as preparation for fuzzing the API endpoints.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Logging In

In Burp's browser, log in to crAPI with any account. If you don't have account credntials handy, click SignUp and create a new account.

You see the "Vehicles Details" page, as shown below.

Finding API Requests

In Burp, on the HTTP History tab, you see three API requests used to load this page, as shown below.

These are all GET requests, and the URL contains /api/

The first two are identical, loading the Dashboard, and the third one loads Vehicles.

Adding Requests to the crAPI Collection

In Postman, on the left side, click the crAPI collection.

On the right side of the crAPI line, click the three dots.

Click "Add request", as shown below.

Name your request Dashboard and paste in the URL from Burp, as shown below.

Click the Send button and verify that the Response shows JSON data from your account, as shown below.

Repeat the process to add the Vehicles request, as shown below.

Adding a Vehicle

In Burp's browser, at the top right, click the "+ Add a Vehicle" button.

Try entering test data into the form. I was unable to enter any VIN it would accept, so I skipped this request.

Completing the Collection

Continue in this manner on the Shop and Community pages, adding all the possible requests to your Postman crAPI collection, as shown below.

Password Recovery

In Burp's browser, log out of crAPI.

On the login page, click "Forgot Password".

In the "Forgot Password" box, enter your email address. Click "Send OTP". Click OK.

In the next box, enter any value for the OTP and enter a new password twice, as shown below.

Click "Set Password".

The password reset fails, but we found the API endpoint.

Find this request in Burp:

POST /identity/api/auth/v3/check-otp

as shown below.

Add that request to your Postman crAPI Collection. Notice that this request uses has "v3" in the URL, while all the others use "v2".

Flag AP 103.1: Status (10 pts)

Run the validate-coupon request, as shown below, with a coupon code of 111111.

The flag is the status message, covered by a green rectangle in the image below.

Saving the Requests

In Postman, in the crAPI container, click the first requests, which I named "Recent Posts".

At the top right, click Save, outlined in red in the image below.

Repeat this process for all the requests in the crAPI container.

Adding an Environment Variable in Postman

Most or all of the api requests have "v2" in their path. We want to change this version number to see if there are other versions of the API endpoints on the server, an error known as "Improper Assets Management Vulnerabilities".

To do that, we need to create a variable holding the version number.

In Postman, at the top right, click the icon with an eye on a piece of paper, outlined in red in the image below.

The Environment box appears, as shown below.

In the Environment section, click Add, outlined in green in the image above.

Name the Environment "Improper Assets Management".

Add a variable named path with an initial value of v3, as shown below.

Then click Save, outlined in red in the image below.

Adding a Test

In Postman, on the left side, click the crAPI container.

At the top right, select the "Improper Assets Management" Environment.

In the center pane, click the Tests tab.

Enter this code into the Tests box, as shown below.

pm.test("Status code is 404", function () {
    pm.response.to.have.status(404);
});
Click Save, outlined in blue in the image below.

Running the crAPI Collection

In Postman, on the left side, on the crAPI line, click the three-dot icon and click "Run collection", as shown below.

A RUN ORDER page appears. On the right side, check "Save responses", as shown below.

Click the blue "Run crAPI" button.

The Test fails for all requests, as shown below. This is expected, since we were testing for 404 errors.

Troubleshooting

If your collection won't run, and you see errors like "No URL" or "No Tests", make sure you saved all the requests and the test.

Inserting the Variable

On the bottom left, click "Find and Replace", outlined in red in the image below.

In the "Find and Replace" pane, enter v2 in the FIND field.

In the Where section, check the Collections box and check crAPI.

Click the orange Find button.

On the right side, click the Collections tab.

Check all the URL boxes, as shown below.

At the lower left, enter

{{path}}

into the REPLACE WITH field.

Click the orange "Replace in 7 selected" button.

Checking the Results

Close the Find and Replace pane.

On the left, click the requests one by one and see if the change worked.

Find and Replace failed for me. It only changed one item and then stopped finding the others.

The solution was to close all the extra tabs in the tab pane. After that, the requests with "v2" in them all showed the {{path}} variable, as shown below.

Find the request containing "v3" and change it to {{path}} manually.

Running a Fail Scan

In the top right, click the eye icon.

In the "Improper Assets Management" section, click Edit.

Change the CURRENT VALUE of the "path" variable to fail12345, as shown below.

Click Save.

In Postman, on the left side, on the crAPI line, click the three-dot icon and click "Run collection".

On the RUN ORDER page appears. On the right side, check "Save responses".

Click the blue "Run crAPI" button.

The Test passes for all requests containing version numbers, since they returned 404 errors, as shown below. This is expected, since no URL is likely to contain "fail12345".

Trying v1

In Postman, at the top right, click the eye icon. In the "Improper Assets Management" section, click Edit.

Change the CURRENT VALUE of "path" to v1, as shown below.

Click Save.

Run the collection again. All the URLS with "v1" return 404 errors, as shown below.

This shows that there are no old versions with those paths left active on the server.

Trying v3

In Postman, at the top right, click the eye icon. In the "Improper Assets Management" section, click Edit.

Change the CURRENT VALUE of "path" to v3.

Click Save.

Run the collection again. All the URLS with "v3" return 404 errors, except the the last one, "Check OTP", which returns a 500, as shown below.

Notice that the response size is 1.001 KB, shown at the bottom right of the image below.

Trying v2

In Postman, at the top right, click the eye icon. In the "Improper Assets Management" section, click Edit.

Change the CURRENT VALUE of "path" to v3.

Click Save.

Run the collection again. All the URLS with "v2" return 404 errors, except the the last one, "Check OTP", which returns a 500, as shown below.

Notice that the response size is 997 B, shown at the bottom right of the image below.

Researching "Check OTP"

This looks like a vulnerability: there are two versions of the "Check OTP" request, v2 and v3, and they are not identical.

Using Burp Intruder

In Burp, on the HTTP history tab, find a request to v3 of check-otp, as shown below.

Right-click it and click "Send to Intruder".

Click the Intruder tab.

Click the "Clear §" button.

Higlight the numerical "otp" value and click the "Add §" button.

Your window should look like the image below.

Click the Payloads tab.

Copy this list of payloads and paste it into the Payload Options box:

1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
Your window should look like the image below.

At the top right, click the "Start Attack" button. Click OK.

Burp opens a new window and performs the attack.

The replies show

{
"message":"ERROR..",
"status":500
}
as shown below.

This is because there is a limit on the number of allowed guesses.

Repeat the process to attack v2 of check-otp.

This time, the responses are all "Invalid OTP!", as shown below.

This shows that the older v2 does not enforce a limit on the number of guesses, so the OTP can be brute-forced.

Flag AP 103.2: Message (10 pts)

The flag is covered by a green rectangle in the image below.

Source

Hacking APIs

Posted 5-4-22
Third image updated and video added 5-11-23
Eye icon image updated 7-18-23