Vampi

General info, Get it and deploy it

• Official repo

Infos

List of Vulnerabilities

This is the list from the documentation To keep track, I will check everytime I find one

• SQLi Injection

• Unauthorized Password Change

• Broken Object Level Authorization

• Mass Assignment

• Excessive Data Exposure through debug endpoint

• User and Password Enumeration

• RegexDOS (Denial of Service)

• Lack of Resources & Rate Limiting

Deploy it

To deploy it I used Docker

• docker run -p 5000:5000 erev0s/vampi:latest

Deployed

Use Swagger editor

• Go here

• Get the yaml in your local machine from here or wget https://raw.githubusercontent.com/erev0s/VAmPI/master/openapi_specs/openapi3.yml

• Then you can play in the browser with the request and you get a full list of requests

Hack it

• First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.

• Launch burp or zap (I will be using burp)

• I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)

If we access http://127.0.0.1:5000/ we get this page

Home page

We already have some data but let's still try the request to create the db just to see what happens.

createdb

Create a user

We can do this with a post request on the endpoint /users/v1/register

Creat a user

Vulnerability: Create an admin user = Mass assignment

We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter "admin": true, we are able to create our admin user.

Create admin user

We can see that our user is indeed created.

Admin user created

Login

Once we created a user we can use it to login by issuing a post request on this endpoint /users/v1/login. This way, we will get a token.

login

Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MDQ3Mjc3NDgsImlhdCI6MTcwNDcyNzY4OCwic3ViIjoiY3NieWdiIn0.OyXjErURxhzD62lZpmRaHmvONniGZyjq6KlTQoq6fqs

Vulnerability: Excessive Data Exposure through debug endpoint

We have a request to list the users and we have an even more interesting request /users/v1/_debug that gives also the users passwords. So this is definitely excessive data exposure

users debug

User enumeration

When trying to login with a non existent user we have the response "Username does not exist".

user does not exist

Another way to enumerate user is to try to find a specific user using the endpoint /users/v1/{username} with a get request.

• When a user exists we get this

user exists

• When it does not we get this:

user does not exist

Password enumeration

We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.

If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".

password enumeration

Unauthorized Password Change

When issuing a PUT request on this endpoint, we can change our password /users/v1/<username>/password. But can we change another user password. Let's try to change the password of admin user with my token of the csbygb non admin user. It works!

• Request to change the password of admin with csbygb user's token

change password of another user

• The password of admin has changed

admin user's password changed

SQL Injection

If we add a quote in the request to get the users we get a sql error

SQL error

sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) unrecognized token: "'John.Doe''"
[SQL: SELECT * FROM users WHERE username = 'John.Doe'']
(Background on this error at: https://sqlalche.me/e/20/e3q8)

• So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump

Dumped database

Vulnerability: BOLA

We can find books that do not belong to us. Using the book title as the ID with this endpoint /books/v1/{book-title}

So here with the token of my user csbygb I am able to access a book that belongs to the user name1.

bola

Lack of Resources & Rate Limiting

Here we are able to send a lot of request without being blocked in anyway by the application. For example we can send plenty of requests to bruteforce the login. I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.

set variables

So here we were able to send more than 800 request without being blocked

no rate limiting

ReDos

For the reference of this vulnerability on OWASP, you can find it here

So we could try one of the regex provided in the OWASP document. We could try this on this endpoint /users/v1/{username}/email if we issue a put request here we are suppose to be able to update our email address. We need to be logged in for this. Using this request we were able to trigger the vulnerability and dos the application.

Denial of service

Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.

Resources

• OWASP API Securiy TOP 10 - 2023

ReDos - Resources

• The Regular Expression Denial of Service (ReDoS) cheat-sheet - James Davis

• ReDos on OWASP

• Regular expression Denial of Service - ReDoS - Hacktricks