REST API - Bypasses and Privilege Escalations

REST API security testing

Methodology

API testing | Web Security AcademyWebSecAcademy

PortSwigger-Academy-CheatSheets/API Testing at master · ChrisM-X/PortSwigger-Academy-CheatSheetsGitHub

Bypassing API filter and ACL by rewriting HTTP methods an URLs

X-HTTP-Method: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method-Override: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method: PATCH
X-HTTP-Method: PATCH
X-Method-Override: PATCH
X-Original-Method: PATCH
X-Original-URL: /admin/deleteUser
X-Rewrite-URL: /admin/deleteUser

Access Admin Interface

using HTTP headers rewriting trusted client's IP address or Hosts.

JWT Access Token Tampering

JWT Editor : Burp plugin

Available in BApp store, explore also advanced JWT header attacks https://portswigger.net/web-security/jwt#jwt-header-parameter-injections

GitHub - PortSwigger/jwt-editor: A Burp Suite extension and standalone application for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.GitHub

JWT Tool

https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology

python3 ./jwt_tool.py -M pb -t http:/URL:5001/api/method  -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"

Mass Assignment

Observer object properties and try to set them (search for hidden parameters PARAMMINER)

POST /api/user/create
Host: server
Content-Type: application/json

{ "admin": true}

API Tester

GitHub - OWASP/OFFAT at mainGitHub

Vulnerable API Project to practice with

GitHub - theowni/Damn-Vulnerable-RESTaurant-API-Game: Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.GitHub

PreviousLabs NextPython Virtual Environment (VENV)

Last updated 1 month ago

Was this helpful?