akto icon indicating copy to clipboard operation
akto copied to clipboard

Published 20 hours ago verified publisher icon akto-api-security

⛏️ Write a test to check whether we can create/update an object with invalid SSN

Open ankush-jain-akto opened this issue 1 year ago • 15 comments

💭 Introduction: We want to test to check whether an attacker can create/update entity with an invalid SSN.

🎯 Requirements:

  1. Filters - API with UPI ID as an input in GET query parameter or JSON body parameter

  2. Execute - It should replace the value with

  • special characters
  • A very long string (> 255 characters)
  • Use whitespaces
  • Invalid SSN
  • A negative integer
  • A very long integer causing integer overflow
  • Zero
  • NULL
  1. Validation - If the application responds with a exception trace, it is a vulnerability.

✅ Task summary:

  • [ ] Ask to be assigned to the issue.
  • [ ] Wait to be assigned. We will try to assign in less than 2 hours.
  • [ ] Signup for Akto
  • [ ] Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
  • [ ] Submit both the PR here.

📚 Reading You can find a detailed documentation of test editor rules here Find 100+ examples of YAML tests here

🙋🏼‍♂️ Questions: If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

ankush-jain-akto avatar Oct 09 '23 05:10 ankush-jain-akto

Hii Please assign me this issue

sivangbagri avatar Oct 12 '23 16:10 sivangbagri

hello can you assign me this issue

mahimarohila avatar Oct 17 '23 15:10 mahimarohila

I have made the PR https://github.com/akto-api-security/tests-library/pull/24

sivangbagri avatar Oct 18 '23 12:10 sivangbagri

@sivangbagri your test template is invalid. Please run your template on an API and see if it works before making a PR.

avneesh-akto avatar Oct 19 '23 06:10 avneesh-akto

@avneesh-akto Hii I have made the necessary changes kindly check https://github.com/akto-api-security/tests-library/pull/24/commits/669f2f07a63f81ab781496751ab5adac4b1284e0

sivangbagri avatar Oct 23 '23 17:10 sivangbagri

Hi please assign me with this issue.

saitejavarma-7 avatar Oct 25 '23 02:10 saitejavarma-7

@sivangbagri your template still seems invalid. Request header is nested inside query params in api_selection_filter. Also you should detect and modify in request payload too. Please run the template on sample API before submitting any PR else you will get banned.

avneesh-akto avatar Oct 25 '23 06:10 avneesh-akto

@saitejavarma-7 I have assigned it to you too. Happy hacking

avneesh-akto avatar Oct 25 '23 06:10 avneesh-akto

@avneesh-akto https://github.com/akto-api-security/tests-library/pull/24/commits/4c883b9d3b890bb1438002feea08e9068b77d496

sivangbagri avatar Oct 27 '23 06:10 sivangbagri

Hey.. still invalid. Your logic requires SSN or UPI id to be present in query, headers AND body param. Instead it should be a OR. Please refer CSRF test by removing csrf token test for more info

avneesh-akto avatar Oct 27 '23 10:10 avneesh-akto

What is the logic for response_code: gte: 400 ? Shouldn't you check if it returns 2xx

avneesh-akto avatar Oct 30 '23 10:10 avneesh-akto

https://github.com/akto-api-security/tests-library/pull/24 @ankush-jain-akto @avneesh-akto

sivangbagri avatar Oct 31 '23 13:10 sivangbagri

Hi @sivangbagri can you please rebase to develop. This looks good.

ankush-jain-akto avatar Nov 01 '23 02:11 ankush-jain-akto

Hi @sivangbagri, please fill out this form here so we can send you Akto swags. Will let you know ETA of swags soon, thanks for your contribution! 🚀

RaagaAkto avatar Jan 30 '24 09:01 RaagaAkto

Hi @sivangbagri, we've received your details, swags should reach you in a month!

RaagaAkto avatar Feb 02 '24 03:02 RaagaAkto