└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # 30Days30APISecurityTests
  2 | 
  3 | ## Test 1 : BOLA by changing auth token
  4 | 
  5 | 1. Get attacker auth token 
  6 | 2. Add it in dashboard 
  7 | 3. Select endpoint in the inventory (PATCH reviews)
  8 | 4. Review the payload once.
  9 | 5. Look at the original review (this is the original review)
 10 | 6. Run test by selecting one BOLA case - BOLA by changing auth token
 11 | 7. Look at the test results - API is vulnerable
 12 | 8. Test result and attack attempt
 13 | 9. Look at the edited review on the dashboard (some review edited for the first time)
 14 | 
 15 | 
 16 | https://user-images.githubusercontent.com/91306853/217299424-6736d728-6803-4134-8c97-225193bf7698.mp4
 17 | 
 18 | ## Test 2 : Broken Function Level Authorization by changing HTTP Method
 19 | 
 20 | 1. Open the API collection that you want to test for vulnerabilities.
 21 | 2. Click on Run test button.
 22 | 3. Select only Broken Function level authorization by changing HTTP method test.
 23 | 4. Count to 10-Mississippi for Test results.
 24 | 5. Analyze the High severity issues. 
 25 | 6. Here, we selected the /api/cards endpoint that fetches all the credit card info from all users.
 26 | 
 27 | https://user-images.githubusercontent.com/91306853/217300011-db834337-70d2-4985-926e-0970e7f8e78e.mp4
 28 | 
 29 | ## Test 3 : Broken user authentication by removing auth token
 30 | 
 31 | 1. Set attacker token
 32 | 2. Observe api (Feedbacks endpoint in this case)
 33 | 3. Select this endpoint
 34 | 4. Click on Run test with just Broken Auth
 35 | 5. Wait for test result
 36 | 6. Check original attempt has auth token
 37 | 7. Test attempt doesn't have token, yet it succeeded - Broken user authentication vulnerability found. :key:
 38 | 
 39 | 
 40 | https://user-images.githubusercontent.com/91306853/219386085-820ef832-3679-4d2c-9a7f-6af499923d21.mov
 41 | 
 42 | ## Test 4 : Swagger file detection - Security misconfiguration 
 43 | 
 44 | 1. Click on run and select swagger file detection test
 45 | 2. Go to testing and wait for a minute for test results
 46 | 3. Click on the failed test - Assets found on page
 47 | 4. Click on the Attempt tab to see the test API call
 48 | 5. The response contains HTML page with swagger details
 49 | 6. Verify it by actually entering the URL
 50 | 
 51 | 🐞 Detected unprotected swagger file!
 52 | 
 53 | 
 54 | https://user-images.githubusercontent.com/91306853/221205469-12081044-f357-457c-a18e-0582dd4ba256.mp4
 55 | 
 56 | 
 57 | 
 58 | ## Test 5 : JWT None algo attack
 59 | 
 60 | 1. Look at the original data - last name is "johnson"
 61 | 2. Select the endpoint you want to test for JWT None attack
 62 | 3. Click on Run test and select JWT None algo attack
 63 | 4. Look at the test results - 1 HIGH severity issue found
 64 | 5. Akto made 4 attempts - 1 succeeded with 200 OK 
 65 | 6. Refresh website, notice lastname changed from "johnson" to "victim"
 66 | 7. Look at the attack again, check the token on http://JWT.io
 67 | 8. Observe algo=none
 68 | 
 69 | 🐞 JWT None algo vulnerability found
 70 | 
 71 | 
 72 | 
 73 | 
 74 | https://user-images.githubusercontent.com/91306853/221206399-5b6f856b-e56c-4fe8-926a-bdb48136845d.mp4
 75 | 
 76 | 
 77 | 
 78 | 
 79 | 
 80 | 
 81 | ## Test 6 : JWT failed to verify signature test
 82 | 
 83 | 1. Select a POST order endpoint
 84 | 2. Select the Broken Authentication test - JWT failed to verify signature
 85 | 3. Go to test results. Observe that there is a high vulnerability issue
 86 | 4. Check the Original tab - the original token signature starts with "HQq0"
 87 | 5. Check Attempt tab - gives 200 OK response with signature starting with "aQq0" - this is invalid signature, yet server accepted
 88 | 
 89 | 
 90 | 
 91 | https://user-images.githubusercontent.com/91306853/221205245-6c32c6d3-2863-4db7-aacf-fa0868f19970.mp4
 92 | 
 93 | 
 94 | 
 95 | 
 96 | 
 97 | 
 98 | ## Test 7 : Broken Object Level Authorization by Parameter Pollution 
 99 | 
100 | 1. Select BOLA by parameter pollution
101 | 2. Run test.
102 | 3. Check results
103 | 4. The original request has 3 params.
104 | 5. Attempt request has 6 params - all occurring twice with a diff "BasketId" value. 
105 | 6. This results in a success response
106 | 7. The victim's cart has a new product added now!
107 | 
108 | 🐞 Vulnerable API
109 | 
110 | 
111 | https://user-images.githubusercontent.com/91306853/221206568-3d3d75f2-1e69-4d0d-86a2-8c98cb87bb7d.mp4
112 | 
113 | 
114 | 
115 | ## Test 8 : Broken Object Level Authorization in old API versions
116 | 
117 | 
118 | 1. Select the list of endpoints
119 | 2. Select Old version API tests.
120 | 3. Go to the test results section
121 | 4. Check details for the vulnerability
122 | 5. Notice that original endpoint uses v2 - /api/v2/users
123 | 6. Navigate to Attempt tab
124 | 7. Notice that /api/v1/users also returns 200 OK with the flag
125 | 
126 | 🐞 BOLA in old api versions
127 | 
128 | 
129 | 
130 | https://user-images.githubusercontent.com/91306853/221204869-5b191e29-9748-4e10-99e3-6c401569717f.mp4
131 | 
132 | 
133 | 
134 | ## Test 9 : Security misconfiguration - django-exposed-debug-page 
135 | 
136 | 1. Select the Django-exposed-debug-page test and run it
137 | 2. Wait for the result
138 | 3. Check the Attempt tab and look for debug details in the response
139 | 4. Check details for the vulnerability
140 | 5. Observe we open the debug page - with details of modules, and inner workings of Django server code
141 | 
142 | 🐞 django-exposed-debug-page
143 | 
144 | 
145 | https://user-images.githubusercontent.com/91306853/221204724-bb78be9a-378b-4456-a9f6-212b198f7893.mp4
146 | 
147 | 
148 | 
149 | ## Test 10 : Security misconfiguration - Open redirects
150 | 
151 | 1. Select the API Collection you want to test
152 | 2. Select Open-redirect test under Security Misconfiguration and click on run test
153 | 3. Navigate to testing. Notice, Akto has found all the APIs which have open redirects
154 | 4. Click on the vulnerability to see details.
155 | 5. Notice that the original request redirects to GitHub
156 | 6. Navigate to Attempt tab. Notice Akto tries a test to redirect to evil. com
157 | 7. See the attempt succeeds! Server returns 302 with location evil. com. 
158 | 
159 | 🐞 API is vulnerable!
160 | 
161 | 
162 | https://user-images.githubusercontent.com/91306853/221481449-a3f28881-484c-4001-8b42-33bd38aa2ca6.mp4
163 | 
164 | ## Test 11 : Application DOS due to pagination misconfiguration
165 | 
166 | 1. Select the API collection you want to test
167 | 2. Select "Pagination Misconfiguration" test under "Rate limiting" category.
168 | 3. Run the test and navigate to testing tab.
169 | 4. Click on the test result. Notice this is possible DoS.
170 | 5. In the original request, API asks for 10 results & the response contains 10 objects
171 | 6. In the attack request, API asks for 100 results. Server accepts this request & sends 100 objects in return
172 | 
173 | 🐞 API is vulnerable!
174 | 
175 | 
176 | https://user-images.githubusercontent.com/91306853/223692349-43e49750-ce99-4167-857a-bc51f426e829.mp4
177 | 
178 | 
179 | 
180 | ## Test 12 : API security misconfiguration - exposed metrics endpoint
181 | 
182 | 1. Select endpoints you want to test for security misconfiguration
183 | 2. Select the misconfiguration test - Prometheus metrics.
184 | 3. Go to test results, wait for a few seconds.
185 | 4. Open the test result "configs" which is a vulnerable result.
186 | 5. Check the Attempt payload and its response - Notice all metrics of Juiceshop exposed.
187 | 
188 | 🐞 API is vulnerable!
189 | 
190 | 
191 | https://user-images.githubusercontent.com/91306853/223692597-cbc0884c-10ab-44be-b690-a59a76a3fd64.mp4
192 | 
193 | 
194 | ## Test 13 : SSRF - AWS sensitive data exposed.
195 | 
196 | 1. Select your API collection.
197 | 2. Run SSRF test on your collection.
198 | 3. Akto runs this test only on those endpoints which take in a URL parameter.
199 | 4. 4. Navigate to test results.
200 | 5. Note the original response has no sensitive keywords such as instance-type etc.
201 | 5. In the attempt, notice that the response has sensitive data such as instance-type, local-hostname, local-ipv4.
202 | 
203 | 🐞 API is vulnerable!
204 | 
205 | 
206 | 
207 | https://user-images.githubusercontent.com/91306853/223693215-c0c089cc-758c-4f4b-8105-55ebe7d921be.mp4
208 | 
209 | 
210 | 


--------------------------------------------------------------------------------