API Information Disclosure

API Information Disclosure

Hello All,

In this post I will provide you an overview about how to exploit Broken Object Level Authorization vulnerability.

Definition: Attackers substitute the ID of their own resource in the API call with an ID of a resource belonging to another user. The lack of proper authorization checks allows attackers to access the specified resource. This attack is also known as IDOR (Insecure Direct Object Reference).

OR

APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.

Lets say our vulnerable website is target[.]com

Steps I did to takeover all the accounts on the test platform. Since I was already registered user on the target website. I did functionality check of the reset password feature.


Reset Password Function

I added my email id and user id and intercepted the request.

Request

Then I’ve sent this request to repeater. And I was able to see the whole JSON response that was leaking the details along with the password. I’ve used the leaked password token to gain access to dashboard.


Response
Since most of the time update section of the user details are vulnerable. I checked for the broken object access control bug on update profile section. I intercepted the request and was able to see whole data in response in JSON format.

Note:  Broken Object Level Authorization happens when an application does not correctly confirm that the user performing the request has the required privileges to access a resource of another user. Almost every company has APIs that are vulnerable to BOLA


Edit Profile

To confirm the BOLA , I sent this request to intruder and changed the last two bit of hexadecimal string. I’ve entered the payload from '00' to 'ff' and started the attack.


Intruder Request
Intruder Settings


Bruteforce attack

Intruder Response

By this way, I got accessed to all their data.

Feel free to provide me the feedback. Thanks for reading and I hope you enjoyed it.


Reference:

https://shubham-s-pandey.blogspot.com/2020/08/introduction-to-idor.html

https://owasp.org/www-project-api-security/



Comments

Post a Comment

Popular posts from this blog

My OSCP Journey - A Review

Image
My OSCP Journey - A Review Pre-Preparation: Hello All, In this post I will provide you an overview about my OSCP journey. In order t o gain some hands-on experience before enrolling, I started practicing on HackTheBox platform. Having done around 50 boxes, I finally felt ready to enroll into the PEN-200.  I would suggest try to complete each and every box from the list mentioned below, before enrolling as your pre-preparation work. OSCP Like boxes:   TJnull’s Preparation Guide for PWK/OSCP I enrolled for OSCP and completed all the PWK exercises and labs within 45 days. After completing all the coursework, I started preparing my notes in structured and organized way. The advice for you here is to make your own notes as it would really help you in your OSCP exam, you’ll thanks yourself later! What is important in doing all this is "BUILDING YOUR METHODOLOGY." Build Your Own Methodology If you have the time, I would strongly recommend completing TJ_Null’s list of HackTheBox
Read more

Introduction to IDOR

Image
Introduction to IDOR Hello All,  In this post I will provide you an overview about how to exploit IDOR vulnerability. What is IDOR?  IDOR:(Insecure direct object references) Due to improper validation of userid at Server side leads to Change of content. OR without any validation mechanism which allows attackers to manipulate these references to access unauthorized data OR A user can successfully request access to a webpage, a data object, or a file that they should not have access to. IDOR Attack Scenario: Case 1: Deleting other user content: 1)Victim post something on website which has a unique ID Eg: 19 Attacker: 1)Attacker creates a post which has a unique ID of 22. 2)He tries to delete his post by intercepting his deleting request. 3)In request, Change ID from 22 to 19 which results deletion of victim post. Case 2: Changing other user profile picture: Attacker: 1)Intercept the upload image request and find the Unique User ID of attacker. 2)Change the ID of attacker to victim ID. 3)
Read more