APISandbox icon indicating copy to clipboard operation
APISandbox copied to clipboard

verified publisher icon API-Security

Metadata

Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.

Results 6 APISandbox issues
Sort by recently updated
recently updated
newest added

采用gorilla库导致API2的Cookie伪造不可用

稍微跟了一下,gorilla对cookie的处理中,只是用key把session id解出来 然后去找对应的文件读取用户的信息 ![image](https://user-images.githubusercontent.com/40162856/149295080-60ac3eec-8035-4393-96bc-dd0d71715c99.png) ![1ff2092410dec2130575256ca648eb1](https://user-images.githubusercontent.com/40162856/149294802-fd256eca-e72b-42af-8f1a-98188be05eb2.png) 所以只有在知道session id的情况下才能伪造用户cookie 导致API2: Broken authentication无法正常工作 虽然/static/sessions/路由能看到id,但与预期解法不一致了

t43Wiu6 avatar t43Wiu6

修复API6没有根据admin值插入到数据库的问题

t43Wiu6 avatar t43Wiu6

APISandbox-启动OWASPApiTop10数据库没有信息 输入id之后查询不到

2 comment

![1](https://github.com/API-Security/APISandbox/assets/77444656/38391f2a-6b08-48ca-8c46-6a5d6bbb9d9b)

shijiu-0113 avatar shijiu-0113

Step 1/9 : FROM golang:1.16-buster Failed

When I run conmand docker-compose build, it shows: ERROR: Service 'owaspapitop10' failed to build : error parsing HTTP 408 response body ![image](https://github.com/API-Security/APISandbox/assets/12975186/b9eab50b-4749-4470-b95f-14f763e95366) How can I sovle this?

cherrychen0825 avatar cherrychen0825

API1: BrokenObjectLevelAuthorization。400 no session

three-person-007 avatar three-person-007

4ASystem

1 comment

4ASystem 横向越权 模拟登陆web1应用,获得访问API的凭证 请问这个具体怎么操作?访问xxx:58080是404,在web1登录或者修改密码抓不到POST /api/v1/sys_authenticate这个包

JoeFeng avatar JoeFeng

Metadata

369
Stars
55
Forks
Watchers

Owner

verified publisher icon API-Security

Metadata

Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.

Back