Play link: https://api-hacker-hame.vercel.app/
An e-commerce platform for online stores (shops) provides a listing page with the items for their hosted shops. Inspecting the browser requests, an attacker can identify the API endpoints used as a data source for those charts and their pattern /eshop/items/{owner_name}.
Using another API endpoint, the attacker can get the list of all hosted shop names. With a simple script to manipulate the names in the list, replacing {owner_name} in the URL, the attacker gains access to the sales data of thousands of e-commerce stores.
An e-commerce platform /eshop/AllItems endpoint view to render all shop metadata.
An attacker finds out that other sensitive data related to other’s items is also returned. The endpoint implementation uses a generic toJSON() method on the User model, which contains PII, to serialize the object.
We have an application that call /eshop/AllItems to get all items in the shop.
An attacker keep calling the endpoints, causing performance issues on the database. Meanwhile, the API becomes unresponsive and is unable to handle further requests from this or any other clients (aka DoS).
The user profile update application triggers an API call to POST /eshop/user/update with json {display_name: 'eric',username: 'eric248550',password: 'pass123',role: 'shop owner',balance: 100}.
An attacker use the endpoint and manipulated the HTTP method and endpoint to POST /eshop/user/update with json `{display_name: 'eric',username: 'eric248550',password: 'pass123',role: 'admin',balance: 100}.
This endpoint should only be accessed by administrators using the admin console, which does not implement function level authorization checks. The attacker exploits the issue and sends himself an invite to create an admin account:
After redesigning their applications, a local search service left an old API version (api.someservice.com/) running, unprotected, and with access to the user database. While targeting one of the latest released applications, an attacker found the API address (api.someservice.com/v2). Replacing v2 with v1 in the URL gave the attacker access to the old, unprotected API, exposing the personal identifiable information (PII) of over 100 Million users.
We have an application with basic CRUD functionality for operations with get user. An attacker managed to identify that SQL injection might be possible through userName query string parameter in the delete booking request. This is how the request looks like: GET /eshop/sql/getUser/{username}'.
The API server uses the following function to SQL requests:
app.get('/eshop/sql/getUser/:userName', cors, async (req, res) => {
try {
const { userName } = req.params;
const user = await utils.postgreDB_530(`SELECT * FROM shop_member WHERE username='${userName}'`);
res.status(200).send(user[0]);
}
catch (e) {
console.error(e);
res.status(500).send({
"error": 'unexpected error',
});
}
});The attacker intercepted the request and changed username query string parameter. In this case, the attacker managed to get another user's data or delete some data:
$ npm install
$ npm run dev
This command starts a local development webpack server and opens up a browser window. Most changes are reflected live without having to restart the server.
$ npm run build
This command generates static content into the dist directory and can be served using any static contents hosting service.
$ npm run start
This command serve the static content dist directory with a nodejs express server.
- Source
- Library used: node-fetch, react-syntax-highlighter, express, postgreSQL
- Research
- https://owasp.org/www-pdf-archive/API_Security_Top_10_RC_-_Global_AppSec_AMS.pdf
- API security project that explores the most important 10 API security issue.
- I select 7 issue that I think it’s necessary
- https://github.com/OWASP/API-Security
- A handbook about API security and example scenarios
- This gameook into the example and think out to implement in the game
- Game Engagement Theory and Adult Learning
- Learning Engagement Factors
- Gaming user experience
- Learning game flow theory
- Clear instruction
- Hint and source code conduct
- Engagement model
- The mock window makes users engaged.
- UI design makes users feel engaged.
- Learning Engagement Factors
- https://owasp.org/www-pdf-archive/API_Security_Top_10_RC_-_Global_AppSec_AMS.pdf