Get the yaml in your local machine from here or wget https://raw.githubusercontent.com/erev0s/VAmPI/master/openapi_specs/openapi3.yml
Then you can play in the browser with the request and you get a full list of requests
Hack it
First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.
Launch burp or zap (I will be using burp)
I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)
If we access http://127.0.0.1:5000/ we get this page
Home page
We already have some data but let's still try the request to create the db just to see what happens.
createdb
Create a user
We can do this with a post request on the endpoint /users/v1/register
Creat a user
Vulnerability: Create an admin user = Mass assignment
We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter "admin": true, we are able to create our admin user.
Create admin user
We can see that our user is indeed created.
Admin user created
Login
Once we created a user we can use it to login by issuing a post request on this endpoint /users/v1/login. This way, we will get a token.
login
Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:
Vulnerability: Excessive Data Exposure through debug endpoint
We have a request to list the users and we have an even more interesting request /users/v1/_debug that gives also the users passwords.
So this is definitely excessive data exposure
users debug
User enumeration
When trying to login with a non existent user we have the response "Username does not exist".
user does not exist
Another way to enumerate user is to try to find a specific user using the endpoint /users/v1/{username} with a get request.
When a user exists we get this
user exists
When it does not we get this:
user does not exist
Password enumeration
We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.
If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".
password enumeration
Unauthorized Password Change
When issuing a PUT request on this endpoint, we can change our password /users/v1/<username>/password.
But can we change another user password.
Let's try to change the password of admin user with my token of the csbygb non admin user.
It works!
Request to change the password of admin with csbygb user's token
change password of another user
The password of admin has changed
admin user's password changed
SQL Injection
If we add a quote in the request to get the users we get a sql error
SQL error
So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump
Dumped database
Vulnerability: BOLA
We can find books that do not belong to us. Using the book title as the ID with this endpoint /books/v1/{book-title}
So here with the token of my user csbygb I am able to access a book that belongs to the user name1.
bola
Lack of Resources & Rate Limiting
Here we are able to send a lot of request without being blocked in anyway by the application.
For example we can send plenty of requests to bruteforce the login.
I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.
set variables
So here we were able to send more than 800 request without being blocked
no rate limiting
ReDos
For the reference of this vulnerability on OWASP, you can find it here
So we could try one of the regex provided in the OWASP document.
We could try this on this endpoint /users/v1/{username}/email if we issue a put request here we are suppose to be able to update our email address.
We need to be logged in for this.
Using this request we were able to trigger the vulnerability and dos the application.
Denial of service
Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.
sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) unrecognized token: "'John.Doe''"
[SQL: SELECT * FROM users WHERE username = 'John.Doe'']
(Background on this error at: https://sqlalche.me/e/20/e3q8)
