OWASP API Security Top 10 (Part 1) — TryHackMe Walkthrough ️
嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内,而且不需要用特定的开头。首先,我得仔细阅读这篇文章,理解它的主要内容。 看起来这篇文章主要讲的是API安全测试,提到了几个关键任务。比如Task1是搭建环境,包括Windows虚拟机、Talend API Tester和一个有漏洞的Laravel应用。然后是理解API的基本概念和真实案例,比如LinkedIn和Twitter的数据泄露事件。 接下来是具体的漏洞测试,比如Broken Object Level Authorization(BOLA),Broken User Authentication(BUA),Excessive Data Exposure等。每个任务都有详细的步骤和修复建议。最后是总结五个核心API漏洞,并强调信任假设是导致这些问题的主要原因。 所以,我需要把这些关键点浓缩到100字以内。重点放在环境搭建、漏洞测试、修复方法以及总结上。确保语言简洁明了,直接描述内容,不需要额外的开头。 可能会这样组织:搭建环境进行API安全测试,涵盖多个漏洞如BOLA、BUA等,并提供修复建议和总结信任假设的重要性。 检查一下字数是否在限制内,确保没有遗漏重要信息。这样用户就能快速了解文章的核心内容了。 </think> 文章介绍了一个用于测试API漏洞的实验环境,并详细讲解了多个常见API安全问题及其修复方法,包括Broken Object Level Authorization、Broken User Authentication、数据过度暴露等。通过实际操作演示了攻击过程及防御措施,并强调了信任假设是导致API安全问题的主要原因。 2026-4-9 07:51:59 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

📌 Task 1 — Introduction

🧠 What’s Happening

You’re basically spinning up a Windows VM + Talend API Tester + vulnerable Laravel app.

➡️ This environment is pre-configured for testing API vulnerabilities.

✅ Outcome

  • Connected to VM successfully
  • Tools auto-launched
  • Ready for API testing

📌 Task 2 — Understanding APIs

🧠 Key Idea

API = bridge between applications.

  • Client sends request
  • Server responds
  • Defined via API documentation

👉 APIs are core building blocks of modern apps

🚨 Real Breaches (Important Insight)

  • LinkedIn → 700M users scraped via API
  • Twitter → 5.4M users exposed
  • PIXLR → 1.9M records leaked

➡️ Lesson: APIs = high-value attack surface

✅ Answers

  • Sample records → 1 million
  • API docs useless? → No (nay)

📌 Task 3 — BOLA (Broken Object Level Authorization)

🧠 Concept

API exposes data using IDs but doesn’t check who is requesting.

➡️ ID change = data leak

⚔️ PoC

Step 1 — Hit Vulnerable Endpoint

GET /apirule1_v/user/1

➡️ Returns user data without any auth check.

Press enter or click to view image in full size

Step 2 — ID Enumeration

GET /apirule1_v/user/2

➡️ Just increment ID → access other users.

Press enter or click to view image in full size

Step 3 — Extract Data

  • Total employees → 3
  • Flag (ID=2) → THM{838123}
  • Username (ID=3) → Bob

⚠️ Why Vulnerable

  • No authorization check
  • Predictable IDs
  • Direct object reference

🔐 Fix

  • Authorization tokens
  • Role validation
  • Use UUIDs

📌 Task 4 — Broken User Authentication (BUA)

🧠 Concept

Login system is flawed — password not validated.

⚔️ PoC

Step 1 — Login with Only Email

POST /apirule2/user/login_v
[email protected]&password=anything

➡️ Login works even with wrong password 💀

Press enter or click to view image in full size

Step 2 — Get Token

cOC%Aonyis%H)mZ&uJkuI?_W#4&m>Y

➡️ Token issued without proper auth.

Step 3 — Use Token

GET /apirule2/user/details
Authorization-Token: <token>

➡️ Full account takeover.

⚠️ Why Vulnerable

  • SQL checks only email
  • Password ignored
  • Token issued blindly

🔐 Fix

  • Validate password properly
  • Use hashing (bcrypt)
  • MFA + JWT

✅ Extra Answer

  • GET request for creds? → No (nay)

📌 Task 5 — Excessive Data Exposure

🧠 Concept

API returns too much information, expecting frontend to filter.

Get Aditya Bhatt’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

➡️ Attacker intercepts raw response → gets secrets.

⚔️ PoC

Step 1 — Fetch Comment

GET /apirule3/comment_v/2

➡️ Returns full dataset including hidden fields.

Press enter or click to view image in full size

Step 2 — Extract Sensitive Data

  • Device ID → iOS15.411

Step 3 — Another Record

GET /apirule3/comment_v/3

➡️ Username → hacker#!

Press enter or click to view image in full size

⚠️ Why Vulnerable

  • Backend sends everything
  • No filtering
  • Trusting frontend

🔐 Fix

  • Return minimal data
  • Avoid generic serializers
  • Validate API responses

✅ Answer

  • Network-level fix only? → No (nay)

📌 Task 6 — Lack of Resources & Rate Limiting

🧠 Concept

No request limits → attackers can spam endpoints.

➡️ Leads to DoS or financial abuse.

⚔️ PoC

Step 1 — Send OTP

POST /apirule4/sendOTP_s
[email protected]

➡️ Response → 200

Press enter or click to view image in full size

Step 2 — Invalid Email

POST /apirule4/sendOTP_s
[email protected]
Invalid Email

Press enter or click to view image in full size

⚠️ Why Vulnerable

  • No rate limiting
  • Unlimited requests
  • Resource exhaustion

🔐 Fix

  • Rate limiting (time-based)
  • CAPTCHA
  • Request quotas

✅ Answer

  • Rate limiting at network level? → Yes (yea)

📌 Task 7 — Broken Function Level Authorization

🧠 Concept

User can escalate privileges by manipulating request parameters.

⚔️ PoC

Step 1 — Send Admin Request

GET /apirule5/users_v
Authorization-Token: YWxpY2U6dGVzdCFAISM6Nzg5Nzg=
isAdmin: 1

➡️ Normal user accesses admin data 😶

Step 2 — Extract Data

  • Alice mobile → +1235322323
  • Admin flag → THM{3432$@#2!}

⚠️ Why Vulnerable

  • Trusting client input (isAdmin)
  • No backend role validation

🔐 Fix

  • Enforce RBAC server-side
  • Ignore client-controlled role fields

✅ Answer

  • isAdmin in hidden field safe? → No (nay)

📌 Task 8 — Conclusion

🧠 What You Learned

This lab basically drills 5 core API failures:

  1. BOLA → ID-based data leaks
  2. BUA → Broken login logic
  3. Data Exposure → Too much data returned
  4. No Rate Limiting → Abuse possible
  5. Function Auth → Privilege escalation

Press enter or click to view image in full size

🧾 Final Take (Important)

👉 APIs fail mainly due to trust assumptions:

  • Trusting IDs → BOLA
  • Trusting login → BUA
  • Trusting frontend → Data leak
  • No limits → Abuse
  • Trusting user roles → Admin bypass

文章来源: https://infosecwriteups.com/owasp-api-security-top-10-part-1-tryhackme-walkthrough-%EF%B8%8F-7b232b4ac745?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh