|
| 1 | +# Intro |
| 2 | + |
| 3 | +This is the crAPI challenge page. |
| 4 | + |
| 5 | +crAPI (Completely Ridiculous Application Programmer Interface) defines an API which is intentionally vulnerable to the OWASP API Top 10 vulnerabilities. crAPI is meant to illustrate and educate by presenting these issues for you to discover and exploit. |
| 6 | + |
| 7 | +The crAPI challenge is for you to find and exploit as many of these vulnerabilities as you can. |
| 8 | + |
| 9 | +There are two approaches to hack crAPI - the first is to look at it as a complete black box test, where you get no directions, but just try to understand the app from scratch and hack it. |
| 10 | + |
| 11 | +The second approach is using this page, which will give you an idea about which vulnerabilities exist in crAPI and will direct you on how to exploit them. |
| 12 | + |
| 13 | +# Challenges |
| 14 | + |
| 15 | +## BOLA Vulnerabilities |
| 16 | + |
| 17 | +### Challenge 1 - Access details of another user’s vehicle |
| 18 | + |
| 19 | +To solve the challenge, you need to leak sensitive information of another user’s vehicle. |
| 20 | + |
| 21 | +* Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user. |
| 22 | + |
| 23 | +* Find an API endpoint that receives a vehicle ID and returns information about it. |
| 24 | + |
| 25 | +### Challenge 2 - Access mechanic reports of other users |
| 26 | + |
| 27 | +crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users. |
| 28 | + |
| 29 | +* Analyze the report submission process |
| 30 | + |
| 31 | +* Find an hidden API endpoint that exposes details of a mechanic report |
| 32 | + |
| 33 | +* Change the report ID to access other reports |
| 34 | + |
| 35 | +## Broken User Authentication |
| 36 | + |
| 37 | +### Challenge 3 - Reset the password of a different user |
| 38 | + |
| 39 | +* Find an email address of another user on crAPI |
| 40 | + |
| 41 | +* Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints. |
| 42 | + |
| 43 | +## Excessive Data Exposure |
| 44 | + |
| 45 | +### Challenge 4 - Find an API endpoint that leaks sensitive information of other users |
| 46 | + |
| 47 | +### Challenge 5 - Find an API endpoint that leaks an internal property of a video |
| 48 | + |
| 49 | +In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities. |
| 50 | + |
| 51 | +## Rate Limiting |
| 52 | + |
| 53 | +### Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature |
| 54 | + |
| 55 | +## BFLA |
| 56 | + |
| 57 | +### Challenge 7 - Delete a video of another user |
| 58 | + |
| 59 | +* Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos |
| 60 | + |
| 61 | +* Delete a video of someone else |
| 62 | + |
| 63 | +## Mass Assignment |
| 64 | + |
| 65 | +### Challenge 8 - Get an item for free |
| 66 | + |
| 67 | +crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. |
| 68 | +To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned. |
| 69 | + |
| 70 | +* Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order. |
| 71 | + |
| 72 | +### Challenge 9 - Increase your balance by $1,000 or more |
| 73 | + |
| 74 | +After solving the "Get an item for free" challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund. |
| 75 | + |
| 76 | +### Challenge 10 - Update internal video properties |
| 77 | + |
| 78 | +After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability. |
| 79 | + |
| 80 | +## SSRF |
| 81 | + |
| 82 | +### Challenge 11 - Make crAPI send an HTTP call to "[www.google.com](www.google.com)" and return the HTTP response. |
| 83 | + |
| 84 | +## NoSQL Injection |
| 85 | + |
| 86 | +### Challenge 12 - Find a way to get free coupons without knowing the coupon code. |
| 87 | + |
| 88 | +## SQL Injection |
| 89 | + |
| 90 | +### Challenge 13 - Find a way to redeem a coupon that you have already claimed by modifying the database |
| 91 | + |
| 92 | +## Unauthenticated Access |
| 93 | + |
| 94 | +### Challenge 14 - Find an endpoint that does not perform authentication checks for a user. |
| 95 | + |
| 96 | +## JWT Vulnerabilities |
| 97 | + |
| 98 | +### Challenge 15 - Find a way to forge valid JWT Tokens |
| 99 | + |
| 100 | +JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform. |
| 101 | + |
| 102 | +## LLM Vulnerabilities |
| 103 | + |
| 104 | +### Challenge 16 - Use the chatbot to do a successfull prompt injection |
| 105 | + |
| 106 | +Chatbot is vulnerable to prompt injection. Inject a malicious prompt in your query to do a client side rendering injection. |
| 107 | + |
| 108 | +### Challenge 17 - Extract the credentials of another user using chatbot |
| 109 | + |
| 110 | +Extract the credentials of another user and check their orders. |
| 111 | + |
| 112 | +### Challenge 18 - Make the chatbot do an action on behalf of another user. |
| 113 | + |
| 114 | +Use the chatbot to perform an action like placing order on behalf on another user. |
| 115 | + |
| 116 | +## << 3 secret challenges >> |
| 117 | + |
| 118 | +There are two more secret challenges in crAPI, that are pretty complex, and for now we don’t share details about them, except the fact they are really cool. |
0 commit comments