CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • General info, Get it and deploy it
  • Infos
  • Deploy it
  • Hack it
  • Create a user
  • Vulnerability: Create an admin user = Mass assignment
  • Login
  • Vulnerability: Excessive Data Exposure through debug endpoint
  • User enumeration
  • Password enumeration
  • Unauthorized Password Change
  • SQL Injection
  • Vulnerability: BOLA
  • Lack of Resources & Rate Limiting
  • ReDos
  • Resources
  • ReDos - Resources
  1. Writeups
  2. Vulnerable APIs

Vampi

PreviousVulnerable APIsNextDamn Vulnerable Web Service

Last updated 1 year ago

General info, Get it and deploy it

Infos

List of Vulnerabilities

This is the list from the documentation To keep track, I will check everytime I find one

Deploy it

To deploy it I used Docker

  • docker run -p 5000:5000 erev0s/vampi:latest

Use Swagger editor

Hack it

  • First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.

  • Launch burp or zap (I will be using burp)

  • I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)

If we access http://127.0.0.1:5000/ we get this page

We already have some data but let's still try the request to create the db just to see what happens.

Create a user

We can do this with a post request on the endpoint /users/v1/register

Vulnerability: Create an admin user = Mass assignment

We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter "admin": true, we are able to create our admin user.

We can see that our user is indeed created.

Login

Once we created a user we can use it to login by issuing a post request on this endpoint /users/v1/login. This way, we will get a token.

Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MDQ3Mjc3NDgsImlhdCI6MTcwNDcyNzY4OCwic3ViIjoiY3NieWdiIn0.OyXjErURxhzD62lZpmRaHmvONniGZyjq6KlTQoq6fqs

Vulnerability: Excessive Data Exposure through debug endpoint

We have a request to list the users and we have an even more interesting request /users/v1/_debug that gives also the users passwords. So this is definitely excessive data exposure

User enumeration

When trying to login with a non existent user we have the response "Username does not exist".

Another way to enumerate user is to try to find a specific user using the endpoint /users/v1/{username} with a get request.

  • When a user exists we get this

  • When it does not we get this:

Password enumeration

We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.

If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".

Unauthorized Password Change

When issuing a PUT request on this endpoint, we can change our password /users/v1/<username>/password. But can we change another user password. Let's try to change the password of admin user with my token of the csbygb non admin user. It works!

  • Request to change the password of admin with csbygb user's token

  • The password of admin has changed

SQL Injection

If we add a quote in the request to get the users we get a sql error

sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) unrecognized token: "'John.Doe''"
[SQL: SELECT * FROM users WHERE username = 'John.Doe'']
(Background on this error at: https://sqlalche.me/e/20/e3q8)
  • So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump

Vulnerability: BOLA

We can find books that do not belong to us. Using the book title as the ID with this endpoint /books/v1/{book-title}

So here with the token of my user csbygb I am able to access a book that belongs to the user name1.

Lack of Resources & Rate Limiting

Here we are able to send a lot of request without being blocked in anyway by the application. For example we can send plenty of requests to bruteforce the login. I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.

So here we were able to send more than 800 request without being blocked

ReDos

So we could try one of the regex provided in the OWASP document. We could try this on this endpoint /users/v1/{username}/email if we issue a put request here we are suppose to be able to update our email address. We need to be logged in for this. Using this request we were able to trigger the vulnerability and dos the application.

Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.

Resources

ReDos - Resources

Go

Get the yaml in your local machine from or wget https://raw.githubusercontent.com/erev0s/VAmPI/master/openapi_specs/openapi3.yml

Then you can play in the browser with the request and you get a full list of requests

For the reference of this vulnerability on OWASP, you can find it

Official repo
here
here
here
OWASP API Securiy TOP 10 - 2023
The Regular Expression Denial of Service (ReDoS) cheat-sheet - James Davis
ReDos on OWASP
Regular expression Denial of Service - ReDoS - Hacktricks
Deployed
Home page
createdb
Creat a user
Create admin user
Admin user created
login
users debug
user does not exist
user exists
user does not exist
password enumeration
change password of another user
admin user's password changed
SQL error
Dumped database
bola
set variables
no rate limiting
Denial of service