AP 105: Broken Function-Level Access (BFLA) (10 pts extra)

What You Need

Burp

Purpose

To add more requests to the crAPI collection, and find a Broken Function-Level Access (BFLA) vulnerability.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Logging In

In Burp's browser, log in to crAPI with any account. If you don't have account credntials handy, click SignUp and create a new account.

You see the "Vehicles Details" page, as shown below.

Viewing the Shop

At the top of the crAPI page, click Shop.

In Burp, on the HTTP History tab, find this request:

GET /workshop/api/shop/products

The response shows the products for sale, with their prices, as shown below.

A customer should only be able to view the products, not add or change them. Those functions should be restricted to administrators.

Let's test to see if that restriction is enforced.

Right-click this request and click "Send to Intruder".

Testing All Methods

We can't change data with a GET request. That would require a different method like POST or PUT. Let's see what methods are allowed.

Click the Intruder tab.

Click the "Clear §" button.

Higlight the method GET and click the "Add §" button.

Your window should look like the image below.

Click the Payloads tab.

Copy this list of payloads and paste it into the Payload Options box:

PUT POST HEAD DELETE CONNECT PATCH OPTIONS

Your window should look like the image below.

At the top right, click the "Start Attack" button. Click OK.

Burp opens a new window and performs the attack.

The replies show quite a variety of responses.

Examine each response and verify that they match the table shown below.

PUT: not allowed
POST: Fields required
HEAD: 200 OK
DELETE: not allowed
CONNECT: Bad Request from Cloudflare
PATCH: not allowed
OPTIONS: 200 OK

HEAD and OPTIONS work, but they just retrieve data from the server, they don't send it.

The only interesting result is from POST. It says fields are required, as shown below.

The POST method should be forbidden, but it isn't. This suggests that we can upload data!

Adding an Item

In Burp's "Intruder attack" window, right-click the POST line and click "Send to Repeater".

Add a JSON line with the required parameters, as highlighted in the image below.

(I recommend including your name in the item name so you can tell your item from those added by other students.)

Send the request. Click the Response tab.

The status is "200 OK", as shown below!

Flag AP 105.1: Field (10 pts)
The flag is covered by a green rectangle in the image below.

Buying an Item

In Burp's browser, refresh the Shop page.

The new item appears, as shown below!

Notice that your Available Balance, at the top left, is $100.

In the new item's section, click Buy. Click OK.

At the top, click Shop.

Your Available Balance has fallen to $90, as shown below.

Adding a GIFT Item

Send another POST request to create an item named GIFT with a price of -110.00

Buy the GIFT item, so your Available Balance is now $200, as shown below.

Flag AP 105.2: Field (10 pts)
In Burp, on the HTTP History tab, find this request, which was used to load the most recent Shop page:
GET /workshop/api/shop/products
The flag is covered by a green rectangle in the image below.

Source

Hacking APIs

Posted 5-6-22