Mass Assignment in vAPI
In this article, we are going to explore and exploit the Mass Assignment vulnerability walkthrough in vAPI.
Before proceeding, we will assume that the project (vAPI, Burpsuite, Postman) is installed and configured properly and everything is in good shape to start with.
- Definition:
This is a vulnerability in which an attacker can append and assign rights/parameters illegitimately to entities that they are not authorized to, which results in privilege escalation.
- Understanding scenario
First thing starts analyzing the API request structure manually in Postman, so we started analyzing the Create User request, from looking at it we can sense that it is a normal user creation POST request with parameters name, username, and password so we created one test user with arbitrary information.
According to the response, it created a user with the specified username and assigned it an id. Now let’s look at the Get User request. Because no user input is required, we made the request directly, and in the response, we discovered that after user creation, the backend method is assigning an account with the parameter name Credit, which is initially 0. Nice Nice! it appears that we have discovered something that we can use.
Based on our findings, we may assume that if the create user API is vulnerable to Mass Assignment, then we can create and assign an arbitrary quantity of credits to our account at the time of creation.
- Attacking
Simply, we created a new account in Creat User with a different credentials, inserted an extra parameter credit with an arbitrary value (as seen in the figure below), and sent the request. BOOM!! The request was accepted, and an id was assigned.
Now it’s time to see if the credit assignment was successful or not. So we sent the Get User request as is, and in return, we received 1000 credits for our newly established account with a flag.
I wish my bank account was vulnerable in this way.
Improper Asset Management in vAPI https://medium.com/@evilprince007/improper-asset-management-in-vapi-13da22bbc330