AP 121: Using OWASP ZAP to Scan Vulnerable API (25 pts extra)

What You Need

Purpose

To scan "Vulnerable API" with OWASP's Zed Attack Proxy.

Installing Vulnerable API

You should already have Vulnerable API installed from the previous project. If you don't, follow the steps below.

You can use any system with Python 3, I suppose, but I only tested it on Debian 11. Execute these commands: 

cd
git clone https://github.com/jorritfolmer/vulnerable-api.git
sudo apt update
sudo apt install virtualenv

virtualenv venv
source venv/bin/activate
cd vulnerable-api
pip install -r requirements.txt
python ./vAPI.py -p 8080
Vulnerable API starts, as shown below.

Open a Web browser and open the IP address of your Deban machine, with port 8080.

You see a message showing that vAPI is running, as shown below.

Restarting Vulnerable API

If you shut down the server, you can restart it with these commands: 
cd
virtualenv venv
source venv/bin/activate
cd vulnerable-api
python ./vAPI.py -p 8080

Installing ZAP

Get it here:

https://www.zaproxy.org/download/

Using ZAP

From the main ZAP page, click "Automated Scan", as shown below.

Enter the URL to your Vulnerable API, as shown below.

Click Attack. The attack ends quickly, showing only one finding about a missing header--nothing important, as shown below.

Importing the OpenAPI Definition

ZAP did not find the API endpoints, so it failed to find interesting vulnerabilities.

In Zap, from the menu, click Import, "Import an Open API definition from a URL" Enter this URL into the top field, and your API URL in the lower field, as shown below.

https://github.com/jorritfolmer/vulnerable-api/raw/main/openapi/vAPI.yaml

Click Import.

A box pops up saying "Successfully imported...". Click OK.

Scanning the API Again

At the top, click "Quick Start".

Click Attack.

The attack takes a minute or two, as shown below.

The Alerts now show some SQL Injections, as shown below.

Injection in uptime

Click the first SQL injection, as shown below.

In the top right pane, click the Response tab.

This shows that the command simply executed the "uptime" Linux command-line command, suggesting that there may be a command injection vulnerability here.

SQL Injection in tokens

Click the first SQL injection, as shown below.

This looks like a classic SQL injection in the password field. Entering an apostrophe there results in a "syntax error".

Flag AP 121.1: Username (10 pts)

In the top right pane, click the Request tab.

The flag is covered by a green rectangle in the image below.

Reinstalling Vulnerable API

The ZAP scan broke my API, so it gave this error: "sqlite3.OperationalError: no such table: users".

I deleted the vulnerable-api directory and reinstalled the whole thing from the beginning to fix it.

After that, I got a fresh auth token and put it in the "token" variable in Postman.

Hacking the "uptime" Endpoint with Postman

You should already have the API definition imported into Postman from the previous project.

In Postman, in the "Vulnerable API" collection, navigate to the "display uptime" request, as shown below.

Send the request. The response shows the command, uptime, and its output, as shown below.

In Postman, in the "Vulnerable API" collection, navigate to the "display uptime flag" request, as shown below.

On the Params tab, the "flag" variable has the value "sed". Change this value to "h", as shown below.

Send the request. The command is now "uptime -h", as shown below.

The flag value is added to the end of the command, suggesting that we could insert other bash commands here.

On the Params tab, change the "flag" variable to ";id", as shown below.

Send the request. The command is now "uptime -;id", and the "id" command runs, showing information about the current user, as shown below.

Flag AP 121.2: Filename (5 pts)

On the Params tab, change the "flag" variable to ";dir", as shown below.

Send the request.

The flag is covered by a green rectangle in the image below.

Hacking the "token" Endpoint with Postman

In the "Vulnerable API" collection, navigate to the "get token" request, as shown below.

On the Body tab, change the password to:

'(
Click the blue Send button.

The response is "syntax error", as shown below.

On the Body tab, change the password to:
' OR 1=1 --
Click the blue Send button.

You get an access token, as shown below.

Getting an Administrator Token

On the Body tab, change the username to:
admin1'--
Click the blue Send button.

You get an administrator access token, as shown below!

Flag AP 121.3: Error Message (10 pts)

Using the administrator token, use the "create user" endpoint to create a user named "test".

The flag is covered by a green rectangle in the image below.

Source

https://github.com/jorritfolmer/vulnerable-api

Posted 5-11-22