crAPI docker搭建

运行如下指令搭建docker下的crAPI靶场:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

搭建过程&结果

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/1.jpeg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/2.jpeg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/3.jpeg

crAPI靶场实践

Challenge 1 – Access details of another user’s vehicle. (Broken User Authentication)

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/.jpegCommunity处的接口可以显示user的所有信息,包括vehicleid
  • Find an API endpoint that receives a vehicle ID and returns information about it.https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/12.jpeg

Challenge 2 – Access mechanic reports of other users. (Broken User Authentication)

crAPI allows vehicle owners to contact their mechanics by submitting a “contact mechanic” form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process提交时会返回一个report_linkhttps://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/123.jpeg
  • Find an hidden API endpoint that exposes details of a mechanic reportGET返回的report_linkhttps://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/2343.jpeg
  • Change the report ID to access other reportsGET刚才返回的link,任意改report_id就可以查看其他reporthttps://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.17.40@2x.jpg

Challenge 3 – Reset the password of a different user. (Broken User Authentication)

  • Find an email address of another user on crAPIhttps://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.19.09@2x.jpg
  • Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.19.44@2x.jpgapi/v3多次发送后ERROR,切换v2后无限制,4位数字爆破成功https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.20.08@2x.jpghttps://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.20.30@2x.jpg

Challenge 4 – Find an API endpoint that leaks sensitive information of other users. (Excessive Data Exposure)

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.20.56@2x.jpg

Challenge 5 – Find an API endpoint that leaks an internal property of a video. (Excessive Data Exposure)

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities.

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.21.26@2x.jpg

上传个人视频点share后抓包可以看到video_id,随后试一下,直接/31就可以显示出video信息

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.21.49@2x.jpg

Challenge 6 – Perform a layer 7 DoS using ‘contact mechanic’ feature. (Rate Limiting)

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.22.14@2x.jpg

增大number_of_repeats, 将repeat_request_if_failed设为true

Challenge 7 – Delete a video of another user. (BFLA)

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos
  • Delete a video of someone else
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.22.47@2x.jpg

使用DELETE时,遇到提示需要admin权限

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.23.14@2x.jpg

将api链接中的user改为admin后成功删除,改一个数字就可以删除其他视频

Challenge 8 – Get an item for free. (Mass Assignment)

crAPI allows users to return items they have ordered. You simply click the “return order” button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

  • Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order.
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.23.39@2x.jpg

提交订单会返回订单id

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.24.18@2x.jpg

使用GET,利用id查看订单详细信息,发现其中有status值

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.25.17@2x.jpg

用PUT修改status,得知status的可选项为delivered, return pending, returned三个 将status修改为returned就相当于直接切换为已退货状态,会将费用退还

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.25.55@2x.jpg

Challenge 9 – Increase your balance by $1,000 or more. (Mass Assignment)

After solving the “Get an item for free” challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.

这里通过先将status设为delivered发一次包,再设为returned发一次包,就完成了无限退款的操作

将quantity增大使得一个订单退款可以增加更大金额

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.26.22@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.26.44@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.27.09@2x.jpg

(我发了两次,所以是200000000080)

Challenge 10 – Update internal video properties. (Mass Assignment)

After solving the “Find an API endpoint that leaks an internal property of videos” challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.27.32@2x.jpg

新上传一个视频,当前视频信息如上图所示

修改视频名称:

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.28.01@2x.jpg

Challenge 11 – Make crAPI send an HTTP call to “www.google.com” and return the HTTP response. (SSRF)

将原来的 "mechanic_api":"http://127.0.0.1:8888/workshop/api/mechanic/receive_report" 改为https://www.gooogle.com,收到response

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.28.35@2x.jpg

Challenge 12 – Find a way to get free coupons without knowing the coupon code. (NoSQL Injection)

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.29.08@2x.jpg

使用 $ne 进行nosql injection

当把 coupon_code设为 “$ne” = “aaaaaaaa” 后,最后实际上在后端执行的是: ‘coupon_code': {$ne: aaaaaaaaa}

{$ne: aaaaaaaaa}语句恒成立=1,从而绕过验证

最后输入TRAC075,成功兑换coupon

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.29.27@2x.jpg

Challenge 13 – Find a way to redeem a coupon that you have already claimed by modifying the database. (SQL Injection)

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.29.53@2x.jpg

Challenge 14 – Find an endpoint that does not perform authentication checks for a user. (Unauthenticated Access)

/workshop/api/mechanic/mechanic_report?report_id=6 (report number 任意)

/workshop/api/shop/orders/1 (order number 任意)

Challenge 15 – Find a way to forge valid JWT Tokens. (JWT Vulnerabilities)

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform.

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.30.32@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.31.03@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.31.26@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.32.18@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.32.48@2x.jpg

JWT由三个部分组成:Header, Payload, Signature。Header包含有关令牌的签名算法和类型的信息,Payload包含用户信息,签名用于身份验证。JWT泄漏会造成身份伪造等问题

因为header和payload都是base64方法编码,所以看到令牌就可以逆向出信息

如果同时使用HMAC算法或公钥算法,就可以可以使用RSA公钥+HS256算法进行混淆攻击,将非对称算法改为对称算法,再使用RSA公钥对数据进行签名,这样后端会用HS256和RSA公钥进行验证从而通过验证。

对于网站中无需验证签名的接口,就可以通过手动修改payload中的信息来生成对应的JWT,从而伪造他人身份

<< 2 secret challenges >>

There are two more secret challenges in crAPI, that are pretty complex, and for now we don’t share details about them, except the fact they are really cool.

先查到商品信息,再利用POST添加商品

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.33.23@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.33.54@2x.jpg
https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.34.23@2x.jpg

当quantity设为负数时credit增加

https://cdn.jsdelivr.net/gh/XFishalways/blog_img@master/2023/07/18/CleanShot 2023-07-18 at 14.34.44@2x.jpg

Tagged in:

, ,

About the Author

XFishalways

Fisher不钓鱼 川大21级在读 网络空间安全专业 7年前的围棋业余5段 素描彩铅水粉国画书法童子功拥有者 Hala Madrid Letsgo Pat Self-Commentator Analyzer ing 七年前的业余5段 AI Skipper nparadigm申工智能yyds 飞禽岛少年Lee Sedol

View All Articles