API2:2019 — Broken Authentication II
Hello all, today we will be looking into OWASP API Security Top 10’s another critical vulnerability, i.e. Broken Authentication
The Issue:
“Poorly implemented API authentication allows attackers to assume other users’ identities.”
Reference: https://apisecurity.io/encyclopedia/content/owasp/api2-broken-authentication.htm
Lab Scenario
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
This lab environment consists of a Banking WebApp. The webapp allows the users to update their password and email id after a successful login. The issue is that for one of the update requests, the API doesn’t require the authorization token to be passed. This allows anyone to make that request and reset the password for other users without being authorized to do that.
Note: The authorization system relies on a scope parameter in the issued token. If the token issued to a user has the scope of “account-write”, then they get write access on the account, else, for token having the scope of “account-read”, the user gets read-only access to the account.
Objective: Leverage the vulnerability to hijack admin’s account and retrieve the Golden Ticket from the Bank API!
Solution:
Step 1: Check the IP address of the machine.
Command: ifconfig
The IP address of the machine is “192.248.164.2”
Therefore, the Banking WebApp is running on “192.248.164.3”, at port 5000.
Step 2: Viewing the Banking WebApp.
Open the following URL in firefox.
URL: http://192.248.164.3:5000
Step 3: Configuring the browser to use BurpSuite proxy and making BurpSuite intercept all the requests made to the API.
Launch BurpSuite.
Select Web Application Analysis > burpsuite
The following window will appear:
Click Next.
Finally, click Start Burp in the following window:
The following window will appear after BurpSuite has started:
Configure the browser to use the Burp proxy listener as its HTTP Proxy server.
Open the browser preference settings and search for network proxy settings.
Select Manual Proxy Configuration and set the HTTP Proxy address to localhost and the port to 8080.
Click OK.
Everything required to intercept the requests has been setup.
Step 4: Interacting with the Banking API using the WebApp.
Login into the web app using the provided credentials:
Username: elliot
Password: elliotalderson
Note: Make sure that intercept mode is on in BurpSuite
Notice the corresponding requests in BurpSuite.
Forward the above request.
Forward the above request and view the changes reflected in the web app.
Click on the Check Balance button.
Forward above request.
Click on Get Golden Ticket button.
Forward the above request.
Notice that a JWT Token is sent in the request.
JWT Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdW1teSBCYW5rIiwiYWNjdCI6MTMzNywic2NvcGUiOiJhY2NvdW50LXJlYWQiLCJleHAiOjE1NzU4ODcwODgsImlhdCI6MTU3NTg4NjQ4OH0.iMbfch1vv3DvNiWBmpBWace-YosFJba6la-X5hJFfzno6eWSggOC8AMryRlF8AtrAS7ykMgcsLjsRuX22MqovbrbUMjnkVQ8Ron_sJu2JyHKRh62H7uSXt54s-cx6lAFLGlvUxjfhTqo2cSaNXBsSqcRhi4oiiseHRFX5b342nD9pXL-9RaRv7JxJkIgdgUzEtCOnq4U5-cAOzEHKoksBh2EiLzV08J2bS8HZ3YL9gaZZCqWl9y-JDYHWffNv8ljz57nr1KSlpb7xN5bLKhyKQpMJ85Csf2R3ePybE-fcVquXyLVr4myz2_dOiNR0Jpwr47nW2aGNFTi32A6YxQYmw
Visit https://jwt.io and decode the above obtained token:
Notice that the token has a scope claim and it is set to the value “account-read”.
Forward the above request and view the changes reflected on the web page.
As mentioned in the challenge description:
“The authorization system used relies on a scope parameter in the issued token. If the token issued to a user has the scope of “account-write”, then they get write access on the account, else, for scope of “account-read”, the user gets read-only access to the account.”
And the token obtained above has scope set to “account-read”.
This means that the above user (“Elliot Alderson”) also has read-only access to the account. Therefore, he can only read his account balance.
Step 5: Resetting password for Elliot.
Set the password to 123.
Forward the above request.
Notice that the above request doesn’t contains any token. It just sends the username and password to “/updatepassword” endpoint.
Forward the above request.
Notice that the password got successfully updated.
Step 6: Resetting the password for admin user.
Reset the password for Elliot again:
Check the corresponding request in BurpSuite.
Forward the above request.
Check the changes reflected on the web page.
Click on the Update Profile button.
Set the new password as 1234.
Check the corresponding request in BurpSuite:
Forward the above request.
Send the above request to Repeater and turn off the intercept mode:
Notice on the web page a pop-up gets displayed acknowledging that the password has been updated successfully.
Navigate to the Repeater window and send a request again after editing the data sent:
Modify the Email ID sent in the request and set it to the Email ID of admin user.
Send the modified request.
Notice the response. It reflects that password has been successfully updated.
Login to the web app again using the updated credentials for admin user:
Click on Check Balance button.
Note: Run the Burp Proxy in intercept mode for this request to get the JWT token passed in the request.
Notice that a JWT Token is passed in this request.
JWT Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdW1teSBCYW5rIiwiYWNjdCI6OTk5OSwic2NvcGUiOiJhY2NvdW50LXdyaXRlIiwiZXhwIjoxNTc1OTIwMTUxLCJpYXQiOjE1NzU5MTk1NTF9.APvJzbdMcRJNpgFlwQ3GQgSEDSf6MnKVp7cNCsLDSKpajPT35guHzw2VDErCytkU5NS2913qE_herqY3jtHlmkHgeGzHbU_uOOZNfz1c7uAR0szfg2T-lLCXdotJsKnmdKGlwzOElgev4MFoCdYS6LTOhz46sNRhYweeA6ZlmPz0kA25lMJmhG0sKaL4o_4S9VWzMOz0WpEvjBHoldDJfIMDympbuyzDNlFfu2eiTMQ5CtTRjPQwz59uOqRRgN2mBSPv8YuQSubHPhSUwyl7pHShBjaTxgoJVbbYcOP-Q3Yd0GBEgskMydPypa6jlbmHWTMc1-QEMqGuqdrOhYmgqA
Decoding this token using https://jwt.io:
Notice that this token has a scope of “account-write”.
Forward the above intercepted request.
The account balance of admin user is $6000.
Step 7: Increasing the balance for admin user’s account and retrieving the Golden Ticket.
In the challenge description, it is mentioned that the /balance endpoint supports a POST request as well. That request is used to modify the account balance.
Send a POST request to the /balance endpoint and modify the balance of admin’s account and set it to a value greater than 5000000:
Command: curl -X POST -H “Content-Type: application/json” http://192.248.164.3:8081/balance -d ‘{“acct”: 9999, “balance”: 100000000, “token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdW1teSBCYW5rIiwiYWNjdCI6OTk5OSwic2NvcGUiOiJhY2NvdW50LXdyaXRlIiwiZXhwIjoxNTc1OTIwMTUxLCJpYXQiOjE1NzU5MTk1NTF9.APvJzbdMcRJNpgFlwQ3GQgSEDSf6MnKVp7cNCsLDSKpajPT35guHzw2VDErCytkU5NS2913qE_herqY3jtHlmkHgeGzHbU_uOOZNfz1c7uAR0szfg2T-lLCXdotJsKnmdKGlwzOElgev4MFoCdYS6LTOhz46sNRhYweeA6ZlmPz0kA25lMJmhG0sKaL4o_4S9VWzMOz0WpEvjBHoldDJfIMDympbuyzDNlFfu2eiTMQ5CtTRjPQwz59uOqRRgN2mBSPv8YuQSubHPhSUwyl7pHShBjaTxgoJVbbYcOP-Q3Yd0GBEgskMydPypa6jlbmHWTMc1-QEMqGuqdrOhYmgqA”}’
Notice the account balance now:
Note: Turn off the intercept mode in Burp Proxy for all further requests.
The balance was updated successfully.
Since the balance is now greater than $5000000, the Golden Ticket could be retrieved.
Golden Ticket: This_Is_The_Golden_Ticket_796b9c54a4e46dd08efe9b7dfc86f05a
It was great! But tell me how to avoid the issue in the first place?
The issue was that no token was passed in the update request and hence, the user authentication was not done before updating the passwords!!
Therefore, one possible way of avoiding the issue would be to require the JWT Token to authenticate the user before updating their password.
Stay Safe and Happy Hacking!