AP 130: c{api}tal (75 pts extra)

Scoreboard · Submit Flags

What You Need

A workstation with a Web browser, Burp, and Postman

Purpose

To practice exploiting a vulnerable API. We will use an API created by CheckMarx for Black Hat Europe 2022 and DEF CON 30.

Viewing the c{api}tal Site

Open a Web browser and open this URL:

http://capital.samsclass.info:4100

You see a c{api}tal web page, as shown below.

Configuring Port Forwarding

At the bottom left of the c{api}tal web page, a message says "No articles are here".

That's a problem. It happens because the Web page tries to load the API from localhost on port 8000 instead of the remote server.

To fix it, you need to configure port forwarding on your machine.

The steps are different for Windows and other operating systems. Follow the steps in the appropriate box below.

Mac or Linux

Installing socat
If you are using a Mac, execute this command:
brew install socat
If you are using Debian Linux, execute these commands:
sudo apt update sudo apt install socat
To start port fowarding on either OS, execute the commands below.
Make sure the IP address found by ping matches the IP address in the socat command.
ping -c 1 capital.samsclass.info socat TCP-LISTEN:8000,fork TCP:137.184.85.205:8000
Leave this Terminal window open.

Windows
If you are using Windows, execute these commands in an Administrator Command Prompt.
Make sure the IP address found by ping matches the IP address in the netsh command.
ping capital.samsclass.info netsh interface portproxy add v4tov4 listenport=8000 listenaddress=0.0.0.0 connectport=8000 connectaddress=137.184.85.205

Refreshing the c{api}tal Site

In your browser showing the c{api}tal web page, refresh the page.

Now articles appear, as shown below.

(Note: the articles don't show up in Opera, but they do in Firefox.)

Viewing the API endpoints specification page

Open a Web browser and open this URL:

http://capital.samsclass.info:8000/docs

You see the specifications, as shown below.

Launching Postman and Creating an Account

Launch Postman.

If you don't already have an account, in Postman, at the top right, click the orange "Create Account" button.

A Postman web page opens. Create an account, or link to an existing Google account.

Return to the main Postman window, as shown below.

Importing API Specifications

In the top left portion of the Postman window, click the Import button.

In the Import box, click the Link tab.

Enter this URL, as shown below.

https://samsclass.info/129S/proj/capital.postman_collection.json

Click the orange Continue button. On the "Import Elements" page, click the orange Import button.

In the top left of Postman, click the Collections button.

Expand the c{api}tal container to see categories of API calls, as shown below.

Setting the APIURL

In Postman, in the list of Collections, click the c{api}tal container.

On the right side, click the Variables tab.

Enter these values, as shown below.

VARIABLE: APIURL
INITIAL VALUE: http://capital.samsclass.info:8000/api
CURRENT VALUE: http://capital.samsclass.info:8000/api

Then click the Save icon, outlined in green in the image below.

Testing the APIURL

In Postman, in the list of Collections, in the c{api}tal container, expand Articles.

Click "All Articles".

At the top right, click the blue Send button.

In the lower right pane, you should see articles appear, as shown below.

Specification for Registering a New User

In a Web browser, you should have the "FastAPI example application" page open.

Expand the first item in the authentication section.

As shown below, to regster a new user, you need to send a POST with the user data in JSON format.

Creating a User Account

In the list of Collections, in the c{api}tal container, expand Auth.

Click Register.

On the Body tab, on the right side, click the blue word Beautify.

Replace the placeholders with an email, password, and username of your choice, as shown below.

Click the blue Send button.

The reply shows that your account was created, and that you are not an admin, as shown below.

Highlight and copy your token value, as shown below.

Adding your Token to the Collection

In the list of Collections, click c{api}tal container.

On the right side, click the Variables tab.

Add a variable named token with the value you copied in the previous step, as shown below.

Then click the Save icon, outlined in green in the image below.

Getting Current User

To test the token, we'll fetch the name of the current user.

In the list of Collections, in the c{api}tal container, in the Auth container, click "Current User".

Click the blue Send button.

The reply shows the name of the current user, as shown below.

Launching Burp

Start Burp. On the Proxy tab, on the Intercept sub-tab, click the "Intercept is on" button so it changes to "Intercept is off".

Configuring Postman to Use the Burp Proxy

In Postman, at the top right, click the gear icon, outlined in red in the image above. Click Settings.

On the Proxy tab, check the "Add a custom proxy configuration" box and enter these values, as shown below.

Proxy Server: 127.0.0.1 8080

Repeating the Current User Request

In Burp, on the Proxy tab, click the "HTTP History" sub-tab.

If any requests are here, right-click one of them and click "Clear History", Yes.

In Postman, close the Settings box.

You should see the Current User request ready to go.

Click the blue Send button.

The request appears in Burp.

Right-click the request and click "Send to Repeater", as shown below.

In Burp, click the Repeater tab.

The request from Postman appears, as shown below.

Click the Send button.

Click the Response tab.

You see the current user's name, as shown below.

AP 130.1 Broken Function Level Authorization

This is #5 on the OWASP API Security Top 10 vulnerabilities list.

This vulnerability typically allows an API call to a function without requiring authorization. One common result is "vertical privilege escalation", from user to administrator.

Viewing the Available Functions

In a Web browser, open this URL:

http://capital.samsclass.info:4100/static/js/bundle.js

Press Ctrl+F and search for path: on this page. Look through the results and find the "/admin" path, highlighted in green in the image below.

In Burp, on the Repeater tab, on the Request sub-tab, change the GET request to reference the /api/admin endpoint, as shown below.

Click the Send button.

Flag AP 130.1: Broken Function Level Authorization (10 pts)
The request is allowed, without your being logged in as admin.
The flag is covered by a green rectangle in the image below.

AP 130.2: Broken Object Level Authorization (BOLA)

This is #1 on the OWASP API Security Top 10 vulnerabilities list.

This vulnerability typically allows an API call to a function affecting another user's data without requiring authorization. This result is called "horizontal privilege estalation."

Examining the DELETE API Call in Postman

This vulnerability is common when there are parameters in the URL that look like folders, but should have different permissions for each user.

In Postman, in the c{api}tal container, expand the "Articles, Favorites, Comments" container and click "Delete Comments for Article".

This request looks like a good candidate for BOLA, as shown below.

Using the GUI

In a Web browser, open this URL:

http://capital.samsclass.info:4100

At the top right, click "Sign in". Enter the username and password for the account you created earlier.

You see articles, as shown below.

Viewing Articles and Comments

Find an article with a comment from another user, as shown below.

Clearing Burp's HTTP History

In Burp, on the Proxy tab, click the "HTTP History" sub-tab. Right-click a request and click "Clear History", Yes.

Commenting and Deleting a Comment

In the Web page, type in a comment and click the "Post Comment" button.

Repeat the process to add a second comment.

Notice that the comments you added have trash-can icons visible, so you can delete them. Comments from other users don't have the trash-can icon, so the developer intended to deny you the ability to delete them, as shown below.

Click one of the trash-can icons. Your comment is deleted.

Viewing the Delete Request in Burp

In Burp, on the Proxy tab, on the "HTTP History" sub-tab, find the DELETE request. Right-click it and click "Send to Repeater", as shown below.

Repeating the DELETE Request

On the Repeater tab, notice that the URL ends in a number, after "comments/". When I did it, my comment was number 9, as shown below.

Subtract 2 from the commentid number. Now the request applies to another user's comment, which you should not be able to delete. Click the Send button.

Flag AP 130.2: Broken Object Level Authorization (BOLA) (10 pts)
Click the Response tab.
The flag is covered by a green rectangle in the image below.

AP 130.3: Broken Authentication

This vulnerability allows use of insecure passwords.

Viewing the Pikachu Posts

From the home page, scroll down to find posts by "Pikachu".

Click the "read more" links to read the posts.

The post titled "I am Pikachu!" contains an email address, as shown below.

Copy that address to a text file for later use.

The post titled "My favourites pokemon!" contains a list of words, as shown below.

Copy those words to a text file for later use. We'll try using them as passwords.

Capturing a Login Request

In Burp's browser, on the c{api}tal page, at the top right, click Settings.

At the bottom, click "Or click here to logout".

At the top right, click Signin. Log in again.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, find the login request.

Right-click it and click "Send to Intruder", as shown below.

Performing a Sniper Attack

In Burp, on the Intruder tab, in the "Payload positions" pane, at the bottom, replace the email with the Pikachu's email you copied earlier, removing the § marks, as shown below.

Click the Payloads tab.

Find the text file with the possible passwords you copied previously.

Edit the list to have a carriage return after each word.

Paste the words into the "Payload settings [Simple list]" box, as shown below.

Click the "Start attack" button. Click OK.

Flag AP 130.3: Broken Authentication (10 pts)
The attack proceeds, as shown below.
Find the login request that has a different response from the others, and find the flag in that response.

AP 130.4: Excessive data exposure

This vulnerability exposes sensitive data. Data on the server which should be restricted is exposed to unauthorized users.

Exploring Your Profile

In Burp's browser, start at the c{api}tal home page. If you aren't logged in, log in.

Click your username at the top right.

On the right side, click the "Edit Profile Settings" button.

The Your Settings page opens, as shown below.

Notice that you can add a biography, and you can also purchase a Membership.

Click the Membership button.

This page collects credit card data, as shown below.

Viewing Another User's Profile

At the top right, click Home.

Click the pink username at the top of any article.

You see this user's profile, but no credit card data, as shown below.

Unfortunately, although the developer did not display the credit card data on the Web page, it is handled insecurely behind the scenes, by the API.

Capturing a Login Request

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, find the GET request that loaded the profile.

Right-click it and click "Send to Intruder", as shown below.

Performing a Sniper Attack

In Burp, on the Intruder tab, in the "Payload positions" pane, highlight the name of the user. On the right side, click the "Add §" button.

The name is highlighted, as shown below.

Click the Payloads tab.

Paste in the list of users shown below.

Bob_the_dev
Hodor
Pikachu
Ash%20Ketchum
Blastoise
TeamR$cket

Click the "Start attack" button. Click OK.

Flag AP 130.4: Excessive data exposure (10 pts)
Find the profile with the longest response.
Take the credit card information found there and use it to purchase a membership for your own account.
The flag appears, covered by a green rectangle in the image below.

AP 130.5: Improper assets management

Attackers find non-production versions of the API (for example, staging, testing, beta, or earlier versions) that are not as well protected as the production API, and use those to launch their attacks.

Exploring Your Profile

In Postman, click the Register call as shown below.

On the right side, notice the URL:

{{APIURL}}/users

There's no version string in this URL, such as "v1" or "v2".

Examine the other API calls and find one that contains "v2".

Send it as it is, and adjust the data until it produces a successful response.

Change it to "v1" and send it.

Flag AP 130.5: Improper assets management (5 pts)
Change the version number to "v1" and send it.
The flag appears in the response.

AP 130.6: Lack of resources and rate limiting

The API is not protected against an excessive amount of calls or payload sizes. Attackers can use this for Denial of Service (DoS) and authentication flaws like brute force attacks.

Observing the Article Request

In Burp's browser, in the c{api}tal page, at the top right, click Home.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, find the GET request that loaded the articles, as shown below.

Flag AP 130.6: Lack of resources and rate limiting (5 pts)
Send the article request to the Repeater, ands increase the "limit" parameter.
When it's large enough, you'll see the flag in the response.

AP 130.7: Insufficient logging and monitoring

We need to abuse the logging function.

Viewing the Available Functions

In a Web browser, open this URL:

http://capital.samsclass.info:4100/static/js/bundle.js

Press Ctrl+F and search for logging on this page. Look through the results and find the "/logging" path, highlighted in orange in the image below.

Flag AP 130.7: Insufficient logging and monitoring (5 pts)
In Burp, send a GET request from the HTTP History to Repeater, and modify it to send to the "/logging" function.
The response will contain the flag.

AP 130.8: Mass assignment

The API takes data that client provides and stores it without proper filtering for whitelisted properties.

In this case, we can assign parameters in the request that the developer did not intend for the user to control.

Capturing a PUT Request

In Burp's browser, on the c{api}tal page, make sure you're logged in.

At the top right, click Settings.

Enter updated bio data, as shown below, and click the "Update Settings" button.

In Burp, find the PUT request that sent the updated bio.

The Response contains:

"admin":false,

as shown below.

Flag AP 130.8: Mass assignment (5 pts)
In Burp, send the PUT request to Repeater, and modify it to add this parameter in the JSON data at the bottom:
"admin":true,
The response will contain the flag.

AP 130.9: Injection

Viewing the API endpoints specification page

In a Web browser, open this URL:

http://capital.samsclass.info:8000/docs

Scroll down and expand the "debug" function. It's a POST request that can execute a command, as shown below.

Capturing a POST Request

In Burp's browser, view an article and post a comment.

In Burp, find that POST request. send it to Repeater, and modify it to send a DEBUG request with a command of "whoami", as shown below.

Flag AP 130.9: Injection (5 pts)
Examine the response to see what commands are whitelisted.
Modify the POST to execute a whitelisted command, followed by
;ls
to see the flag.

AP 130.10: Security misconfiguration

This includes services running with default passwords, unpatched systems, etc.

Scanning the Server

Running a Nmap scan of all ports shows "redis" on port 6379.

Understanding Redis

This tutorial is very helpful, especially the "Redis - Commands" and "Redis - Strings" pages.

Installing a Redis Client

There are a lot of clients. Here's the one I used on Debian:

sudo apt install redis-tools redis-cli -h capital.samsclass.info -p 6379

Flag AP 130.10: Security misconfiguration (10 pts)
There's a key named "flag" in the Redis database. Use the appropriate command to display its value.

Sources

How to install Docker on Debian 11
Checkmarx/capital
How We Created an API Security CTF
DefCon 30 —C{api}tal CTF WriteUp (Part 1)
How to Do a Clean Restart of a Docker Instance

Posted 2-16-23