DVAPI Walkthrough: API Penetration Testing: OWASP TOP 10 API
Welcome to the Damn Vulnerable API (DVAPI) project. This project is based on the OWASP API Top 10, 2023 Stable version, published on June 5, 2023. The lab is designed to help you learn about and explore the top 10 security risks associated with APIs according to the OWASP API Security Project.
The OWASP API Top 10–2023 consists of the following vulnerabilities:
- 0xa1: Broken Object Level Authorization
- 0xa2: Broken Authentication
- 0xa3: Broken Object Property Level Authorization
- 0xa4: Unrestricted Resource Consumption
- 0xa5: Broken Function Level Authorization
- 0xa6: Unrestricted Access to Sensitive Business Flows
- 0xa7: Server Side Request Forgery
- 0xa8: Security Misconfiguration
- 0xa9: Improper Inventory Management
- 0xaa: Unsafe Consumption of APIs
Installation:
Recently completed DVAPI and gathered vulnerability information from this lab.
Let’s Start:
API1:2023 Broken Object Level Authorization:
Object level authorization ensures that only authorized users have access to specific resources or actions. However, in the case of broken object level authorization, there are vulnerabilities that allow unauthorized users to access or modify sensitive data or perform actions they shouldn’t have permission for.
POC:
API2:2023 Broken Authentication:
“Authentication endpoints, which are typically public-facing, are a common target for attackers. To prevent attacks, these endpoints should have extra protection measures in place. However, misconfigurations can occur due to insufficient threat modeling.”
POC:
API3:2023 Broken Object Property Level Authorization:
“APIs perform actions on objects and their properties. Developers may neglect property level authorization, allowing users to modify object properties they shouldn’t access, despite having object level authorization.”
POC:
API4:2023 Unrestricted Resource Consumption:
“API requests consume resources such as CPU/memory, bandwidth, storage, and integrations with other services. Attackers can cause high resource consumption by sending excessive requests, leading to unresponsive APIs or increased business expenses.”
POC:
Created the large image:
Upload into the profile photo
API5:2023 Broken Function Level Authorization:
“APIs enable users to perform specific functions on API objects, with some of these functions restricted to certain user permissions. It is crucial to implement proper authorization checks for API functions to ensure users are granted the correct privileges for object manipulation.”
POC:
HTTP verb tempering:
API6:2023 Unrestricted Access to Sensitive Business Flows:
“Unrestricted Access to Sensitive Business Flows is a critical vulnerability that enables attackers to exploit APIs by gaining excessive access to sensitive business processes. This vulnerability occurs when API endpoints expose critical flows without appropriate access restrictions, leading to potential harm to the business.
Attackers leverage their understanding of the target business model and automate access to sensitive flows, causing various forms of harm. Lack of a holistic view of the API and inadequate protection mechanisms contribute to the prevalence of this vulnerability.”
POC:
API7:2023 Server Side Request Forgery:
Server-Side Request Forgery (SSRF) flaws occur whenever an API is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.
So, imagine you’re a hacker and you want to get access to some secret data or functionality on a server that you’re not supposed to have access to. How would you do it? You can’t just waltz in through the front door, right? Well, that’s where SSRF comes in. SSRF stands for Server-Side Request Forgery, and it’s a technique that allows a hacker to trick a server into making requests on their behalf. It’s like getting the server to open the back door for you without it even realizing it!
POC:
API8:2023 Security Misconfiguration:
“A security misconfiguration arises when essential security settings are either not implemented or implemented with errors.
In the world of cybersecurity, security misconfiguration is a vulnerability that arises when systems or applications are not configured properly. It’s like leaving the front door of your house unlocked or your windows wide open. It’s an open invitation to attackers who are looking for an easy way in.
Security misconfiguration can take many forms, such as not changing default passwords, not patching systems with security updates, or leaving unnecessary ports open or giving out sensitive information in errors. Hackers can exploit these misconfigurations to gain access to sensitive data or to take control of systems.”
POC:
API9:2023 Improper Inventory Management:
“Improper management of APIs refers to instances when the production APIs are built, utilized, and then no longer managed without being terminated.
Asset management is all about keeping track of what you have, what you need, and when you need it. When it comes to APIs, improper inventory management can mean not keeping track of all the APIs in use, their access levels, or who has access to them, uat endpoints left open in prod. It’s like not having a proper recipe for the cake you want to bake — you might have some ingredients, but without the right recipe, you won’t end up with the cake you wanted.
This can lead to security vulnerabilities, such as unauthorized access or data leaks.”
POC:
API10:2023 Unsafe Consumption of APIs:
Developers tend to trust data received from third-party APIs more than user input. This is especially true for APIs offered by well-known companies. Because of that, developers tend to adopt weaker security standards, for instance, in regards to input validation and sanitization.
Have you ever heard the phrase ‘you are what you eat’? Well, in the world of cybersecurity, the same can be said for APIs. Unsafe consumption of APIs is like eating something that might look good, but could actually be harmful to you.
APIs are like the ingredients in a recipe — they come in all shapes and sizes, and you need to be careful about how you consume them. Unsafe consumption of APIs means using APIs in a way that exposes your systems to security vulnerabilities. It’s like eating something that might look and smell good, but could give you food poisoning.
This can happen when you don’t properly authenticate or authorize API requests, or when you don’t sanitize user inputs. It’s like not properly washing your hands or cooking your food — it can lead to harmful bacteria and germs entering your system.
POC of DVAPI lab:
All flags captured
Mitigation:
Thanks to Payatu for this wonderful lab to understand the API exploits.
Happy hunting!!!
