- Get attacker auth token
- Add it in dashboard
- Select endpoint in the inventory (PATCH reviews)
- Review the payload once.
- Look at the original review (this is the original review)
- Run test by selecting one BOLA case - BOLA by changing auth token
- Look at the test results - API is vulnerable
- Test result and attack attempt
- Look at the edited review on the dashboard (some review edited for the first time)
Bola.by.changing.auth.token.mp4
- Open the API collection that you want to test for vulnerabilities.
- Click on Run test button.
- Select only Broken Function level authorization by changing HTTP method test.
- Count to 10-Mississippi for Test results.
- Analyze the High severity issues.
- Here, we selected the /api/cards endpoint that fetches all the credit card info from all users.
BFLA.by.changing.http.method.mp4
- Set attacker token
- Observe api (Feedbacks endpoint in this case)
- Select this endpoint
- Click on Run test with just Broken Auth
- Wait for test result
- Check original attempt has auth token
- Test attempt doesn't have token, yet it succeeded - Broken user authentication vulnerability found. π
Broken.Authentication.by.removing.auth.token.mov
- Click on run and select swagger file detection test
- Go to testing and wait for a minute for test results
- Click on the failed test - Assets found on page
- Click on the Attempt tab to see the test API call
- The response contains HTML page with swagger details
- Verify it by actually entering the URL
π Detected unprotected swagger file!
Swagger.detection.mp4
- Look at the original data - last name is "johnson"
- Select the endpoint you want to test for JWT None attack
- Click on Run test and select JWT None algo attack
- Look at the test results - 1 HIGH severity issue found
- Akto made 4 attempts - 1 succeeded with 200 OK
- Refresh website, notice lastname changed from "johnson" to "victim"
- Look at the attack again, check the token on http://JWT.io
- Observe algo=none
π JWT None algo vulnerability found
Untitled.Project.mp4
- Select a POST order endpoint
- Select the Broken Authentication test - JWT failed to verify signature
- Go to test results. Observe that there is a high vulnerability issue
- Check the Original tab - the original token signature starts with "HQq0"
- Check Attempt tab - gives 200 OK response with signature starting with "aQq0" - this is invalid signature, yet server accepted
JWT.invalid.signature.test.1.mp4
- Select BOLA by parameter pollution
- Run test.
- Check results
- The original request has 3 params.
- Attempt request has 6 params - all occurring twice with a diff "BasketId" value.
- This results in a success response
- The victim's cart has a new product added now!
π Vulnerable API
BOLA.by.Parameter.Pollution.mp4
- Select the list of endpoints
- Select Old version API tests.
- Go to the test results section
- Check details for the vulnerability
- Notice that original endpoint uses v2 - /api/v2/users
- Navigate to Attempt tab
- Notice that /api/v1/users also returns 200 OK with the flag
π BOLA in old api versions
Old.Api.versions.test.mp4
- Select the Django-exposed-debug-page test and run it
- Wait for the result
- Check the Attempt tab and look for debug details in the response
- Check details for the vulnerability
- Observe we open the debug page - with details of modules, and inner workings of Django server code
π django-exposed-debug-page
Django.exposed.debug.page.mp4
- Select the API Collection you want to test
- Select Open-redirect test under Security Misconfiguration and click on run test
- Navigate to testing. Notice, Akto has found all the APIs which have open redirects
- Click on the vulnerability to see details.
- Notice that the original request redirects to GitHub
- Navigate to Attempt tab. Notice Akto tries a test to redirect to evil. com
- See the attempt succeeds! Server returns 302 with location evil. com.
π API is vulnerable!
Open.redirects.1.mp4
- Select the API collection you want to test
- Select "Pagination Misconfiguration" test under "Rate limiting" category.
- Run the test and navigate to testing tab.
- Click on the test result. Notice this is possible DoS.
- In the original request, API asks for 10 results & the response contains 10 objects
- In the attack request, API asks for 100 results. Server accepts this request & sends 100 objects in return
π API is vulnerable!
Possible.DOS.mp4
- Select endpoints you want to test for security misconfiguration
- Select the misconfiguration test - Prometheus metrics.
- Go to test results, wait for a few seconds.
- Open the test result "configs" which is a vulnerable result.
- Check the Attempt payload and its response - Notice all metrics of Juiceshop exposed.
π API is vulnerable!
Security.Misconfiguration.-.Exposed.Metrics.endpoint.1.mp4
- Select your API collection.
- Run SSRF test on your collection.
- Akto runs this test only on those endpoints which take in a URL parameter.
-
- Navigate to test results.
- Note the original response has no sensitive keywords such as instance-type etc.
- In the attempt, notice that the response has sensitive data such as instance-type, local-hostname, local-ipv4.
π API is vulnerable!