@@ -39,4 +39,86 @@ https://user-images.githubusercontent.com/91306853/217300011-db834337-70d2-4985-
3939
4040https://user-images.githubusercontent.com/91306853/219386085-820ef832-3679-4d2c-9a7f-6af499923d21.mov
4141
42+ ## Test 4 : Broken user authentication by removing auth token
4243
44+ Step 1: Click on run and select swagger file detection test
45+ Step 2: Go to testing and wait for a minute for test results
46+ Step 3: Click on the failed test - Assets found on page
47+ Step 4: Click on the Attempt tab to see the test API call
48+ Step 5: The response contains HTML page with swagger details
49+ Step 6: Verify it by actually entering the URL
50+
51+ 🐞 Detected unprotected swagger file!
52+
53+
54+ ## Test 5 : Broken user authentication by removing auth token
55+
56+ Step 1: Look at the original data - last name is "johnson"
57+ Step 2: Select the endpoint you want to test for JWT None attack
58+ Step 3: Click on Run test and select JWT None algo attack
59+ Step 4: Look at the test results - 1 HIGH severity issue found
60+ Step 5: Akto made 4 attempts - 1 succeeded with 200 OK
61+ Step 6: Refresh website, notice lastname changed from "johnson" to "victim"
62+ Step 7: Look at the attack again, check the token on http://JWT.io
63+ Step 8: Observe algo=none
64+
65+ 🐞 JWT None algo vulnerability found
66+
67+
68+ ## Test 6 : Broken user authentication by removing auth token
69+
70+ Step 1: Select a POST order endpoint
71+ Step 2: Select the Broken Authentication test - JWT failed to verify signature
72+ Step 3: Go to test results. Observe that there is a high vulnerability issue
73+ Step 4: Check the Original tab - the original token signature starts with "HQq0"
74+ Step 5: Check Attempt tab - gives 200 OK response with signature starting with "aQq0" - this is invalid signature, yet server accepted
75+
76+
77+ ## Test 7 : Broken user authentication by removing auth token
78+
79+ Step 1: Select BOLA by parameter pollution
80+ Step 2: Run test.
81+ Step 3: Check results
82+ Step 4: The original request has 3 params.
83+ Step 5: Attempt request has 6 params - all occurring twice with a diff "BasketId" value.
84+ Step 6: This results in a success response
85+ Step 7: The victim's cart has a new product added now!
86+
87+ 🐞 Vulnerable API
88+
89+
90+ ## Test 8 : Broken user authentication by removing auth token
91+
92+ Step 1: Select the list of endpoints
93+ Step 2: Select Old version API tests.
94+ Step 3: Go to the test results section
95+ Step 4: Check details for the vulnerability
96+ Step 5: Notice that original endpoint uses v2 - /api/v2/users
97+ Step 6: Navigate to Attempt tab
98+ Step 7: Notice that /api/v1/users also returns 200 OK with the flag
99+
100+ 🐞 BOLA in old api versions
101+
102+
103+ ## Test 9 : Broken user authentication by removing auth token
104+
105+ Step 1: Select the Django-exposed-debug-page test and run it
106+ Step 2: Wait for the result
107+ Step 3: Check the Attempt tab and look for debug details in the response
108+ Step 4: Check details for the vulnerability
109+ Step 5: Observe we open the debug page - with details of modules, and inner workings of Django server code
110+
111+ 🐞 django-exposed-debug-page
112+
113+
114+ ## Test 10 : Broken user authentication by removing auth token
115+
116+ 1 . Select the API Collection you want to test
117+ 2 . Select Open-redirect test under Security Misconfiguration and click on run test
118+ 3 . Navigate to testing. Notice, Akto has found all the APIs which have open redirects
119+ 4 . Click on the vulnerability to see details.
120+ 5 . Notice that the original request redirects to GitHub
121+ 6 . Navigate to Attempt tab. Notice Akto tries a test to redirect to evil. com
122+ 7 . See the attempt succeeds! Server returns 302 with location evil. com.
123+
124+ 🐞 API is vulnerable!
0 commit comments