CS6035 Projects / API Security API Security Solution

[SOLVED] CS6035 Projects / API Security API Security Solution

99.99 $

Category:

Description

5/5 - (4 votes)

BACKGROUND:

You’ve been hired by the IPLRA (International Programming Language Review Association) to conduct a security audit for their newly released API. They are excited to finally release an API to the community for developers across the world to leverage. In fact, they see this API as a way to increase their amount of reviews by 800%. The only thing standing in their way is a final audit and approval, by you. Unfortunately, after only 5 minutes of looking at the API, you’ve found issues and need to report them. Your goal is to bring visibility to these vulnerabilities in their API by finding the flags for each scenario. Good luck on your flag hunt and we hope you enjoy learning all about modern web APIs.

Note: The IPLRA is not real and we made it up.

SETUP:

To get set up for the flags, carefully follow the steps below.

You will need switch users. Log into the VM with the following user.

The username, password and VM location are located on Canvas.

Run this at the terminal to start the API

$ ./StartContainer.sh

project_apisecurity.json is available in the /home/apisec/Desktop folder. Put all flags in this file and submit it as your final deliverable.

To access the Web API open Chrome in the VM and navigate to this URL. This is the Swagger documentation page that describes the API and allows for testing: http://localhost:8080/swagger/index.html

_*Note: You can also click the “Swagger UI” bookmark in _Chrome

******GATECH_ID IS A REQUIRED HEADER******

NOTE: This is not the Georgia Tech Username, it is the GTID that you can find usng the steps on the Required Reading

Be very careful! When you copy and paste be sure to strip off all leading spaces or special characters.

Submission Details:

File submission instructions:

This project needs to be submitted via gradescope. Navigate to the course in Canvas, click ‘Gradescope’, click ‘Project API Security’ and submit there.

The contents of the submission file should be the following. There is a project_apisecurity.json file in your vm with a template set up, or you can copy-paste this to your newly created project_apisecurity.json file elsewhere and replace the placeholders with the flags you retrieve from each relevant task.

Note: You can use TextEdit or Vim to create and edit this file. Do not use LibreOffice or any Word Document editor. It must be in proper JSON format with no special characters in order to pass the autograder and these Word Document editors are likely to introduce special characters.

If you can’t find the file in the VM just copy this format below:

{

“flag1”: “<copy flag 1 here>”,

“flag2”: “<copy flag 2 here>”,

“flag3”: “<copy flag 3 here>”,

“flag4”: “<copy flag 4 here>”,

“flag5”: “<copy flag 5 here>”,

“flag6”: “<copy flag 6 here>”,

“flag7”: “<copy flag 7 here>”,   “flag8”: “<copy flag 8 here>”

}

An example of what the submitted file content should look like:

{

“flag1”: “4ec60c3e084d8387f0f33916e9b08b99d5264a486c29130dd4a5a530b958c5c0f1faeaca2ce30b478281ec546a4729f

“flag2”: “f496d9514c01e8019cd2bc21edfeb8e33f4a29af14a8bf92f7b3c14b5e06c5c0f1faeaca2ce30b478281ec546a4729f

“flag3”: “b621bba0bb535f2f7a222bd32994d3875bcfcad651160c543de0a01dbe2e0c5c0f1faeaca2ce30b478281ec546a4729

“flag4”: “f38e2cafb43ab4a0a647a8b08fc97bca25aa7cfb517029d5dd02faf49bff5c5c0f1faeaca2ce30b478281ec546a4729

“flag5”: “1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729

“flag6”: “1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729

“flag7”: “1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729  “flag8”: “f38e2cafb43ab4a0a647a8b08fc97bca25aa7cfb517029d5dd02faf49bff5c5c0f1faeaca2ce30b478281ec546a4729

}

TABLE OF CONTENTS

FLAG 1: Swagger Intro (10 pts)

This flag will introduce you to basic API functionality using a documentation and test harness tool called Swagger. Swagger is a very popular tool used to develop and test web APIs and has plugins/modules in most programming languages. You can learn more about Swagger here: https://swagger.io/

You’ll need to leverage Swagger (or any other http tool you desire such as curl or Postman) to determine how the API is configured and what endpoints to invoke to earn this flag.

Warning: The site doesn’t use file storage or a database, all data is stored in memory. If you crash the web API or restart the VM, any data you have created/modified will have been lost and you’ll need to begin at step 1.

To earn your flag you must perform the following actions by making API calls.

  • Create a new Programming Language that IS featured and is named “Super-AI”
  • Create a review of the new Super-AI language. The title should be “A super language devoted to AI”, rating is 5 and the reviewer is “Luke Skywalker”
  • Reply to the new review by Luke Skywalker. The replier should be “Darth Vadar” and the body “I find your lack of AI disturbing”
  • Finally, delete the new programming language you created and your flag will be revealed.

Hints:

  • Study the API endpoints available to you. Notice the responses, these may be useful to understand what is going on.
  • The GATECH_ID header is required and enforced as such by the Swagger UI test harness.
  • Choose any value for fields not explicitly stated above.
  • Do not include extra quotes or double quotes embedded within the actual value.

FLAG 2: Stolen Credentials (15 pts)

In order to get this flag you need to create a new reviewer in the system. Unfortunately, the developers locked down this functionality some time ago so you’ll need an auth token in order to perform it. You read in the newspaper last week that Programming Reviews LLC had a big data breach so there is a good chance you can come across some credentials.

To earn your flag you must perform the following actions.

  • Use Swagger to find and call/invoke a suitable API endpoint that you feel can create new reviewers.
  • The API requires a token but in order to get a token you need to find suitable credentials. Use the APIs available to you to find these.
  • Now that you’ve found the credentials you need to get that token. Be sure to call/invoke the “flag2token” to get your token.
  • Armed with your token, call the API endpoint once more. Create a new reviewer with user name = “chewie55” and full name = “Chewbacca” and your flag will be revealed.

Hints:

  • Remember there was a data breach. I bet you can find suitable credentials somewhere.
  • Once you find the credentials you may need to do some decoding to get the actual values.
  • Looking for that ClientID? Be sure to follow all directions and inspect any response that the API is sending back.
  • In order to pass in the token you’ll need to set the Authorization Bearer header. Swagger has not been configured to do this. We suggest you use a tool called Postman. This is a very popular web API testing client. You can find more information here:

https://learning.postman.com/docs/getting-started/introduction/

  • You can also use Curl if you’re more comfortable with the command line. We do recommend you at least look at Postman since it will make your life much easier for this project and it’s very popular.
  • Postman is already installed on the VM we have provided.

Include your flag2 into the json file and now onto Flag 3!

 

FLAG 3: JWT Intro (15 pts)

Now that you’ve used an Auth token we’re going to dig a bit deeper into JWT (JSON Web Tokens). This flag is simple and designed only to get you acquainted with how JWTs are constructed. There are numerous resources to help you work with JWTs, one we recommend is https://jwt.io/ but you are not required to use this site for the project. Choose any library, tool or site you wish to inspect and construct JWT tokens.

To earn your flag you must perform the following actions.

  • Call/invoke the “flag3token” GET API to get your token.
  • Parse the token using a tool of your choice.
  • Use values from the token to craft the correct payload and POST that to the “flag3token” API for your flag.

Hints:

  • The intent of this flag is to get you familiar with the JWT token structure. You will need to understand what it is and how to construct/deconstruct these. This will likely require some outside research on your part.

The next few flags will require some trial and error and a bit of research on your part to succeed. Your task is to craft JWT tokens such that you can use the token to successfully authenticate and earn your flag.

FLAG 4: Hack JWTs – #1 (15 pts)

You are a PHP ninja! You can’t get enough of this language. When you learned that others hate it and gave it bad reviews you felt the need to “correct the situation”. You’ve learned of an API that allows you to delete reviews. Muhahahah! The problem is that only the site moderator can do this and you don’t have his credentials. This has not stopped you in the past.

To earn your flag you must perform the following actions.

  • Find the suitable API that will allow you to accomplish your goal above.
  • You have previously registered with the site as a “reviewer” and remember your username is “python_superstar” and password is “The_vulnerabilities_are_false”. Use these to get your token from the “flag4token” API.
  • Analyze the token and do research to find a way to “upgrade” your token so that you can fool the API into thinking you are a “moderator”.
  • Leverage your newly crafted token to delete all of those incriminating PHP reviews and earn your flag.

Hints:

  • Maybe inspecting your token will give you a clue of how the server is handling authorization.

FLAG 5: Hack JWTs – #2 (15 pts)

You’ve learned about a new experimental programming language that is TOP SECRET! This language only requires 1 single keyword to find a polynomial time algorithm to solve any NP-hard problem! You want the 1 million dollar reward for solving this problem and thus need access to this programming language. Find the language.

To earn your flag you must perform the following actions.

  1. The programming language is not returned in normal API calls. In order to see this magical new language you need to leverage the “Top Secret” GET request.
  2. Grab your normal JWT token from the “flag5token” API. Use these credentials: username is “Boba_Fett” and password is “a-good-blaster”
  3. You have the token so why not try to give it a shot? Try to use this token to view Top Secret languages.
    • 403 – Forbidden. You need more help…
  4. Inspect this token. You’ve learned through “insider program language trading” that in order to see TOP SECRET languages you need to provide the following JWT Claim.
    • Claim Name: TOP_SECRET
    • Claim Value: allowed
  5. Alter your token and try it again
    • Hmm, it appears that the server is correctly verifying the signature to ensure it hasn’t been tampered with. Rats!
  6. Good news, the developers of this API are pretty bad at securing safe things like secret keys. Find the secret key.
  7. With the key in hand, properly construct the JWT token with the TOP_SECRET claim.
  8. Leverage your token to finally view the source code of the experimental programming language to earn your 1 million dollars and the flag.

A Postman screenshot showing the response after leveraging a crafted token to view the source code of the experimental programming language. The response body includes the message: 'Congratulations! Flag 5 is: [64-character SHA-256 string]', confirming the revealed flag.

Hints:

  • You need to find the key that’s used to verify the JWT signature. Search through the APIs to see if you can find a trail that leads to it.
  • You need to construct a valid JWT token. You can leverage tools and websites such as jwt.io to perform this or handle it manually. This choice is up to you.

FLAG 6: Hack JWTs – #3 (10 pts)

You’ve been informed that the system has a weak key vulnerability that can be decrypted using a brute-force attack. The weak key corresponds to the employee ID of one of the developers who developed the code, assuming that no one could guess the employee ID.

A friendly employee in the company has leaked the pattern for the employee ID number, which would consist of numeric digits and could be up to seven digits. Pass this weak key on to the flag6 API and you should get the flag.

To earn your flag you must perform the following actions.

  • Invoke the flag6token API to get the vulnerable token with a weak key.
  • Once you have the jwt token, carefully analyze the token header and the contents and note it down.
  • Explore various possibilities to hack into the JWT token. Various open source tools can be used to decrypt a weak key. You are free to explore any of these tools or write your code to decrypt the token.
  • Once you have decrypted the weak key, you need to use this weak key to get access to the API endpoint reserved for third party usage. Go over the swagger documentation to look out for this endpoint.
  • Once you have the endpoint, pass the weak key as path param to the flag6 API. Once you have done this, you should have the flag as shown in the image below.

Hints:

  • The encryption algorithm used in the weak key generation would help to identify the right technique to decipher the weak key.

Flag 7: Broken Access Control (10 pts)

Like many other systems, this one also maintains user profiles or settings. These profiles may contain sensitive information that can be exploited by malicious hackers to gain unauthorized access to restricted areas of the system. Regrettably, the access control measures for protecting APIs, which ideally should be segmented based on role-based permissions, have been compromised in this system. Your objective is to reset the password of a system administrator user, thereby allowing you to log in as that user and exploit their sysadmin access for your own entertainment and financial gain.

To earn your flag you must perform the following actions.

  • Find an API in Swagger that gives you details of the current user. Inspect the response and take note of any notable identifiers.
  • Given the endpoints available, see if you can modify the input parameters to find other user profiles.
  • Invoke the reset-password API to change the sysadmin user’s password. The new password value doesn’t matter.

There’s a slight catch though. To accomplish this flag, you will need to write a script in any language you want because there are too many users to brute force this flag. There is only one user that will give you Flag 7, so think of this as a needle in a haystack. Some hints on what to account for in your script:

  • The /reset-password endpoint uses a JWT Authorization: Bearer token. Retrieve this token using the /flag7token, decode the token and inspect the claims. There is a claim that will need modified. Keep this token for your script because it will need to be decoded, modified, and encoded.
  • Using your identifier found in your profile from the previous section, start at this profile and continue to other profiles.
  • There is a /profiles/* endpoint that will give you an upper bound of how many users there are.
  • Continue to get user data from the endpoints and modify the token accordingly each time by retrieving the profile for subsequent users.
  • Using the modified token, continue to invoke the reset password endpoint for users until you are succesful. The endpoint will only return 200 OK for the correct user. When you receive a 200 OK response, you can stop searching and attempting to reset the password.

A successful flag will display a Congratulations message like the following:

Hints:

  • All profiles will be under the Profile APIs in Swagger which are prefixed with /profiles
  • How do most database identifier fields work? Does the data from responses give you any ideas?
  • The language you choose for your script does not matter (i.e. Python, Bash, Javascript). Ideally the language would contain a JWT library that can decode, modify, and encode JWTs.
  • Pay attention to the format parameters of the JWT including the claims, headers, signature, etc.
  • There is no secret for the JWT and all endpoint fetches can ignore SSL verification.

Resources:

 

Flag 8: Server Side Request Forgery (SSRF) (10 pts)

Rumor has it that the IPLRA hosts a hidden application on an HTTP web server running inside its containerized environment. This application is only accessible from within the container and cannot be directly reached from the outside world. However, vulnerabilities within the IPLRA API might allow an attacker to discover this application.

To earn your flag you must perform the following actions.

1 Identify and use a set of suitable API endpoints to locate and interact with this hidden application.

A successful flag will display a Congratulations message like the following:

Hints:

  • What are the some “common HTTP ports” a web server could be running on?

Resources:

Security/editions/2023/en/0xa7-server-side-request-forgery/

 

Related products

Related in this category

More in this category