General info, Get it and deploy it


List of Vulnerabilities

This is the list from the documentation To keep track, I will check everytime I find one

Deploy it

To deploy it I used Docker

  • docker run -p 5000:5000 erev0s/vampi:latest

Use Swagger editor

  • Go here

  • Get the yaml in your local machine from here or wget

Hack it

  • First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.

  • Launch burp or zap (I will be using burp)

  • I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)

If we access we get this page

We already have some data but let's still try the request to create the db just to see what happens.

Create a user

We can do this with a post request on the endpoint /users/v1/register

Vulnerability: Create an admin user = Mass assignment

We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter "admin": true, we are able to create our admin user.

We can see that our user is indeed created.


Once we created a user we can use it to login by issuing a post request on this endpoint /users/v1/login. This way, we will get a token.

Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MDQ3Mjc3NDgsImlhdCI6MTcwNDcyNzY4OCwic3ViIjoiY3NieWdiIn0.OyXjErURxhzD62lZpmRaHmvONniGZyjq6KlTQoq6fqs

Vulnerability: Excessive Data Exposure through debug endpoint

We have a request to list the users and we have an even more interesting request /users/v1/_debug that gives also the users passwords. So this is definitely excessive data exposure

User enumeration

When trying to login with a non existent user we have the response "Username does not exist".

Another way to enumerate user is to try to find a specific user using the endpoint /users/v1/{username} with a get request.

  • When a user exists we get this

  • When it does not we get this:

Password enumeration

We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.

If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".

Unauthorized Password Change

When issuing a PUT request on this endpoint, we can change our password /users/v1/<username>/password. But can we change another user password. Let's try to change the password of admin user with my token of the csbygb non admin user. It works!

  • Request to change the password of admin with csbygb user's token

  • The password of admin has changed

SQL Injection

If we add a quote in the request to get the users we get a sql error

sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) unrecognized token: "'John.Doe''"
[SQL: SELECT * FROM users WHERE username = 'John.Doe'']
(Background on this error at:
  • So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump

Vulnerability: BOLA

We can find books that do not belong to us. Using the book title as the ID with this endpoint /books/v1/{book-title}

So here with the token of my user csbygb I am able to access a book that belongs to the user name1.

Lack of Resources & Rate Limiting

Here we are able to send a lot of request without being blocked in anyway by the application. For example we can send plenty of requests to bruteforce the login. I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.

So here we were able to send more than 800 request without being blocked


For the reference of this vulnerability on OWASP, you can find it here

So we could try one of the regex provided in the OWASP document. We could try this on this endpoint /users/v1/{username}/email if we issue a put request here we are suppose to be able to update our email address. We need to be logged in for this. Using this request we were able to trigger the vulnerability and dos the application.

Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.


ReDos - Resources

Last updated