Looking for REST API vulnerabilities

API vulnerabilities are common entry points for exploitation. OWASP API Top 10 compiled list. We have to explore for all the cases to see if there is any vulnerability.

Exploration 1

In one of the above sections, we explored view balance API.

decrypt("Gk8SDggaEhJPWwFLDQgFCENAW15XTU8MHxodBgYIQ0BLPRICDgQJGkwaTU8FGx0PRVsWQxgIAgYPDgRYU19XUV1RVksPBAICFBQdMQkUAAMfG0xdUllQQlFdGhw=")

View balance decrypt nodejs

Let's see if we can view balance of other users. If you see the intercepted request, there is no body or query string in the request made to view balance. But we can see the Authorization header.

In my case, the authorization header is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIxIiwiaXNfYWRtaW4iOmZhbHNlLCJpYXQiOjE2MjMzMzU4NDV9.lHjjBagQ2OYREBBDl0LXUNLNn1nD6nI4KMxgFlfXRWU. This looks like JWT token. Let's decrypt this JWT token.

Decode JWT user1

As you can see we have a field name "username":"user1". Since there is no body/query parameter in the intercepted request, there is high possibility that the application is extracting username from the authorization header. Let's change the username to user2, rebuild the request and then send it.

Encode JWT user2

Copy this JWT token and replace the Authorization header with this value and resend the request.

User2 JWT view balance repeater

We will receive an encrypted response, copy that and pass it to your NodeJS script for decryption.

User2 response decryption

As we can see above, it throws 403 error and says the signature doesn't match. It means the signature is getting validated on the backend and we can't tamper with the Authorization token. It doesn't mean authorization is happening in all endpoints. It might happen, it might not happen, as a security expert its your job to verify them all.

Similarly you can explore the remaining scenarios.