# Vampi
## General info, Get it and deploy it
* [Official repo](https://github.com/erev0s/VAmPI)
### Infos
#### List of Vulnerabilities
> This is the list from the documentation\
> To keep track, I will check everytime I find one
* [x] SQLi Injection
* [x] Unauthorized Password Change
* [x] Broken Object Level Authorization
* [x] Mass Assignment
* [x] Excessive Data Exposure through debug endpoint
* [x] User and Password Enumeration
* [x] RegexDOS (Denial of Service)
* [x] Lack of Resources & Rate Limiting
### Deploy it
To deploy it I used Docker
* `docker run -p 5000:5000 erev0s/vampi:latest`
#### Use Swagger editor
* Go [here](https://editor.swagger.io/)
* Get the yaml in your local machine from [here](https://github.com/erev0s/VAmPI/blob/master/openapi_specs/openapi3.yml) or `wget https://raw.githubusercontent.com/erev0s/VAmPI/master/openapi_specs/openapi3.yml`
* Then you can play in the browser with the request and you get a full list of requests\
## Hack it
* First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.
* Launch burp or zap (I will be using burp)
* I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)
If we access we get this page
We already have some data but let's still try the request to create the db just to see what happens.
### Create a user
We can do this with a post request on the endpoint `/users/v1/register`
### Vulnerability: Create an admin user = Mass assignment
We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter `"admin": true,` we are able to create our admin user.
We can see that our user is indeed created.
### Login
Once we created a user we can use it to login by issuing a post request on this endpoint `/users/v1/login`. This way, we will get a token.
Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:
```http
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MDQ3Mjc3NDgsImlhdCI6MTcwNDcyNzY4OCwic3ViIjoiY3NieWdiIn0.OyXjErURxhzD62lZpmRaHmvONniGZyjq6KlTQoq6fqs
```
### Vulnerability: Excessive Data Exposure through debug endpoint
We have a request to list the users and we have an even more interesting request `/users/v1/_debug` that gives also the users passwords.\
So this is definitely excessive data exposure
### User enumeration
When trying to login with a non existent user we have the response "Username does not exist".
Another way to enumerate user is to try to find a specific user using the endpoint `/users/v1/{username}` with a get request.
* When a user exists we get this
* When it does not we get this:
### Password enumeration
We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.
If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".
### Unauthorized Password Change
When issuing a PUT request on this endpoint, we can change our password `/users/v1//password`.\
But can we change another user password.\
Let's try to change the password of `admin` user with my token of the csbygb non admin user.\
It works!
* Request to change the password of admin with csbygb user's token
* The password of admin has changed
### SQL Injection
If we add a quote in the request to get the users we get a sql error
```sql
sqlalchemy.exc.OperationalError: (sqlite3.OperationalError) unrecognized token: "'John.Doe''"
[SQL: SELECT * FROM users WHERE username = 'John.Doe'']
(Background on this error at: https://sqlalche.me/e/20/e3q8)
```
* So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db `sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump`
### Vulnerability: BOLA
We can find books that do not belong to us. Using the book title as the ID with this endpoint `/books/v1/{book-title}`
So here with the token of my user csbygb I am able to access a book that belongs to the user name1.
### Lack of Resources & Rate Limiting
Here we are able to send a lot of request without being blocked in anyway by the application.\
For example we can send plenty of requests to bruteforce the login.\
I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.
So here we were able to send more than 800 request without being blocked
### ReDos
> For the reference of this vulnerability on OWASP, you can find it [here](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
So we could try one of the regex provided in the OWASP document.\
We could try this on this endpoint `/users/v1/{username}/email` if we issue a put request here we are suppose to be able to update our email address.\
We need to be logged in for this.\
Using this request we were able to trigger the vulnerability and dos the application.
> Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.
## Resources
* [OWASP API Securiy TOP 10 - 2023](https://owasp.org/API-Security/editions/2023/en/0x00-header/)
### ReDos - Resources
* [The Regular Expression Denial of Service (ReDoS) cheat-sheet - James Davis](https://levelup.gitconnected.com/the-regular-expression-denial-of-service-redos-cheat-sheet-a78d0ed7d865)
* [ReDos on OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [Regular expression Denial of Service - ReDoS - Hacktricks](https://book.hacktricks.xyz/pentesting-web/regular-expression-denial-of-service-redos)