OWASP TOP-10 Vulnerabilities |

API Testing

Assignment-2
Your Name

Student Id
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Contents

1) Exploiting an API endpoint using documentation .................................................................................... 3

Screenshot ....................................................................................................................................... 3
Attack Scenario ................................................................................................................................ 4
2) Exploiting server-side parameter pollution in a query string ................................................................... 6
Screenshot ....................................................................................................................................... 6
Attack Scenario ................................................................................................................................ 7
3) Finding and exploiting an unused API endpoint ....................................................................................... 9
Screenshot ....................................................................................................................................... 9
Attack Scenario .............................................................................................................................. 10
4) Exploiting a mass assignment vulnerability ............................................................................................ 12
Screenshot ..................................................................................................................................... 12
Attack Scenario .............................................................................................................................. 13
5) Exploiting server-side parameter pollution in a REST URL ..................................................................... 15
Screenshot ..................................................................................................................................... 15
Attack Scenario .............................................................................................................................. 16
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

1) Exploiting an API endpoint using documentation:

Screenshot:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Attack Scenario:
A bank has an API that allows customers to manage their accounts and see their transaction
history. It is a complete API with detailed documentation for developers who want to build
applications that integrate with this bank’s services.
Finding the Vulnerability:
The attacker will register as a developer in order to access the API documentation. He
discovered that there was an endpoint /api/v1/transactions that returns transaction history for
users. The doc shows this endpoint requires an api token and user_id parameter.
Creating the Malicious Request:
Using their valid API token, the attacker would request to the endpoint but change the user_id
parameter so as to get different data from other users.
Example Exploit Request:

Injecting the Payload:

With another user_id specified, the attacker sends the request. Without proper validation, the
backend server processes it and returns back a transaction history of a certain user ID.
Exploiting the Vulnerability:
In doing so, automated requests cause many transactions histories to be collected by attackers
hence much personal information such as account balances or identification details are availed
for these victims.
Using the Stolen Data:
Afterwards, this can be sold on dark web by criminals, they can use it for identity theft or engage
in fraud activities.
Targeting the Database:
In addition, using obtained data hackers may find other vulnerabilities within it which could help
them further control over a database or do more mischief.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Mitigation Strategies:
1. Token Scope and Boundaries: API tokens should be account specific.
2. Additional Validation: Verify the identity and permissions of the token holder.
3. Rate Limiting and Monitoring: Apply rate limits and monitor for unusual access
patterns.
4. Least Privilege Principle: Develop APIs that provide the least amount of access.
When they secure API endpoints and use these techniques, banks are able to defend against
unauthorized access to their data.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

2) Exploiting server-side parameter pollution in a query

string:

Screenshot:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Attack Scenario:
A shopping website which uses URL filters to show only what user wants. In this website, user
can apply filters such as category, price range, sorting option, etc maintained in the query string
of the URL.
Finding the Vulnerability:
An attacker learns that the website's server-side code mishandles multiple instances of a
parameter in query string. If there are duplicates, the rule is that it should be the last occurrence
of the parameter that should be processed by the server. Here we aggregate or handle all
events in the server which will produce inconsistent behavior.
Creating the Malicious Request:
Attackers can exploit this behavior by manipulating the query string parameters. He structure a
URL with duplicated parameters that disrupt how the website was supposed to function. For
example:

Injecting the Payload:

The attacker sends this modified request to the server. The server does not filter the products by
both "electronics" and "clothing". Instead, it filters it only by "clothing". The result is not as
intended.
Exploiting the Vulnerability:
The attacker exploits this vulnerability by manipulating the query string parameters carefully. He
could:
 Modify Filters: Change filtering criteria to show different products than intended.
 Bypass Restrictions: Potentially bypass access controls or pricing rules by changing
the way the server reads parameters.
 Impact User Experience: Cause errors or disrupt the functionality of the website by
injecting unexpected data.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Using the Exploited Data:

Depending on how the attack plays out, the attacker could gain certain advantages, such as:
 Viewing unauthorized products or information.
 Exploiting pricing discrepancies.
 Circumventing security measures.
Mitigation Strategies:
To prevent server-side parameter pollution attacks, developers should follow these strategies:
1. Validate Input: Make sure that the server-side code properly handles and validates
input parameters, even if they occur multiple times.
2. Sanitize Input: Filter and clean up user-supplied data to prevent any malicious injection
through query strings.
3. Use Frameworks: Use web frameworks and libraries that enforce secure coding
practices and help counteract common vulnerabilities.
4. Regular Audits: do regular security checks and testing to identify and fix any
vulnerabilities in web applications before they become vulnerable.
Understanding these techniques will help in securing web applications against common exploits
like server-side parameter pollution, ensuring strong protection for user data and system
integrity.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

3) Finding and exploiting an unused API endpoint:

Screenshot:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Attack Scenario:
An ecommerce website that has an api to handle products, orders, and customer data.
Documentation for the api covers the essential information for typical endpoints, including
/api/products, /api/orders, and /api/customers.
Finding the Vulnerability:
An attacker who's really digging into the API documentation. Notice something interesting,
there's an endpoint called /api/debug that's mentioned in the comments, but it's not officially
listed as something external developers can use.
Exploiting the Vulnerability:
The attacker decides to give the /api/debug endpoint a go. Uses tools like Postman or curl, or
even scripting languages like Python, to craft requests and see if he can access it and what it
does.
Example Exploit Request:

Injecting the Payload:

Upon sending the request, the attacker discovers that the /api/debug endpoint is accessible,
and it lets them do administrative stuff that's not meant for regular external users. They might
find things like database backups, system diagnostics, or other debugging features.
Exploiting the Endpoint:
The attacker can exploit these functionalities in a bunch of ways.
 They can get his hands on sensitive information like server logs or debugging output.
 They can mess with backend systems and data.
 They might even be able to escalate their privileges or gain unauthorized access to
administrative functions.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Using the Exploited Data:

Depending on what they find, the attacker can use that data to plan even more attacks on the
system or its users. They can exploit vulnerabilities they discovered through debugging data.
They can cause chaos and damage to the e-commerce platform's operations.
Mitigation Strategies:
To prevent unauthorized access and exploitation of unused API endpoints, developers and
administrators should follow these strategies:
 Review and Disable Unused Endpoints: Ensure that the documentation and codebase
of the api are regularly reviewed and disregarded as endpoints become unusable.
Disable all endpoints that are not formally documented or are not being used.
 Implement Access Controls: Ensure access controls and authentication mechanisms
are essential. Only authorized users and applications are authorized to access sensitive
endpoints.
 Monitor API Usage: Use logging and monitoring systems to identify any unusual or
unauthorised access patterns to your endpoints and apis.
 Security Testing: Conduct regular security testing, including penetration testing. This
will help identify vulnerabilities and fix them before they become exploitable.
Organizations can improve the security of their apis and prevent the misuse or unauthorized
access of their systems by using these methods.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

4) Exploiting a mass assignment vulnerability:

Screenshot:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Attack Scenario:
Imagine a web service that enables users to modify their profile details, such as name, email,
and profile picture. The application updates user data using a json payload through a backend
api.
Finding the Vulnerability:
The application is exposed to a vulnerability through mass assignment, which exposes it to an
attacker. If the backend application doesn't validate or sanitize incoming json payloads,
attackers can manipulate and update additional fields beyond their intended scope.
Understanding Mass Assignment:
frontend of a typical web application sends a json payload to the backend for users to update
their profile, with specific fields like name and email included. A mass assignment vulnerability
can be modified by adding additional fields like isadmin or isverified, which are not normally
available to them.
Exploiting the Vulnerability:
The attacker crafts a malicious JSON payload that includes additional fields:

Sending the Payload:

The attacker sends this payload to the update profile endpoint of the API:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Exploiting the Endpoint:

Due to the mass assignment vulnerability, the backend updates the user's profile as requested,
including setting the isAdmin field to true, even though the attacker should not have permission
to do so.
Consequences of Exploitation:
By exploiting this vulnerability, the attacker can escalate privileges, gain administrative access,
or perform actions beyond their intended scope:
 Access privileged information or perform administrative functions.
 Modify system settings or configuration.
 Create or delete data and accounts.
Mitigation Strategies:
To prevent mass assignment vulnerabilities, developers should:
1. Implement Whitelisting: Define a whitelist of fields that can be updated via API
requests.
2. Validate Input: Check if there are valid fields in incoming json payloads by sanitizing
them and verifying them.
3. Use Role-based Access Control (RBAC): Implement RBAC to limit access based on
user roles and permissions.
4. Security Testing: To detect and tackle security vulnerabilities such as mass
assignment, conduct security assessments, and conduct consistent testing and code
reviews.
These strategies, are a great way to secure application and protect against unauthorized data
manipulation and privilege escalation through API endpoints.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

5) Exploiting server-side parameter pollution in a REST

URL:

Screenshot:
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Attack Scenario:
Imagine a web application that uses RESTful APIs to manage user accounts. The application
allows users to perform actions like viewing their profile or updating their information via URLs
that follow REST conventions.
Finding the Vulnerability:
An attacker discovers a server-side parameter pollution vulnerability in the application's RESTful
URLs. In RESTful APIs, parameters are often passed through the URL query string to specify
actions or filters.
Understanding Parameter Pollution:
In a server-side parameter pollution vulnerability, the application incorrectly handles multiple
occurrences of the same parameter in the URL query string. Instead of processing the last
occurrence or ignoring duplicates as expected, the application might combine or process all
occurrences, leading to unexpected behavior.
Exploiting the Vulnerability:
The attacker manipulates the URL query string parameters to exploit this behavior. They craft a
URL with duplicated parameters that alter the intended functionality of the API endpoint. For
example:

Injecting the Payload:

The attacker sends this modified request to the server. Instead of processing the id parameter
as expected, the server might process both id values (123 and admin), leading to unintended
consequences such as privileging the user to an admin role.
Exploiting the Endpoint:
By manipulating the parameters, the attacker can:
 Modify User Role: Change their role from a regular user to an administrator.
 Bypass Access Controls: Gain access to sensitive information or functionality intended
only for administrators.
 Disrupt Operations: Cause errors or unexpected behavior by injecting conflicting
parameters.
 CIS*6670 – Special Topics in Cybersecurity
Assignment-2

Using the Exploited Data:

Depending on the outcome of the attack, the attacker may:
 Access and modify privileged information.
 Exploit vulnerabilities discovered through unintended access.
 Disrupt or manipulate system functionality.
Mitigation Strategies:
To prevent server-side parameter pollution vulnerabilities in RESTful APIs, developers should:
1. Parameter Handling: Ensure the application correctly handles and processes
parameters in the URL query string, including managing duplicates appropriately.
2. Input Validation: Validate and sanitize user-supplied input to prevent malicious injection
through URLs.
3. Security Awareness: Teach developers common vulnerabilities, parameter pollution,
and ways to mitigate them, and increase security awareness.
4. Regular Testing: Security testing is important to identify and exploit vulnerabilities, such
as penetration testing and code reviews.
these techniques can help organizations protect their restful apis from server side parameter
pollution vulnerabilities, which can be exploited.