From eeccea91e26951eb080299c3ab896c0752347788 Mon Sep 17 00:00:00 2001 From: arjun Date: Fri, 17 Jan 2025 15:10:40 +0530 Subject: [PATCH] added 10 templates --- .../BOLAURLReplaceUserIDDELETE.yml | 158 ++++++++++++++++++ .../BOLAURLReplaceUserIDPATCH.yml | 158 ++++++++++++++++++ .../JWTModifyBodyDELETE.yml | 131 +++++++++++++++ .../JWTModifyBodyPATCH.yml | 131 +++++++++++++++ Cross-Site-Scripting/BasicXSSDELETE.yml | 64 +++++++ Cross-Site-Scripting/BasicXSSPATCH.yml | 64 +++++++ .../OldApiVersionDELETE.yml | 114 +++++++++++++ .../OldApiVersionPATCH.yml | 114 +++++++++++++ .../TimeBasedNoSQLiJSONParamDELETE.yml | 145 ++++++++++++++++ .../TimeBasedNoSQLiJSONParamPATCH.yml | 145 ++++++++++++++++ 10 files changed, 1224 insertions(+) create mode 100644 Broken-Object-Level-Authorization/BOLAURLReplaceUserIDDELETE.yml create mode 100644 Broken-Object-Level-Authorization/BOLAURLReplaceUserIDPATCH.yml create mode 100644 Broken-Object-Level-Authorization/JWTModifyBodyDELETE.yml create mode 100644 Broken-Object-Level-Authorization/JWTModifyBodyPATCH.yml create mode 100644 Cross-Site-Scripting/BasicXSSDELETE.yml create mode 100644 Cross-Site-Scripting/BasicXSSPATCH.yml create mode 100644 Improper Inventory Management/OldApiVersionDELETE.yml create mode 100644 Improper Inventory Management/OldApiVersionPATCH.yml create mode 100644 Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml create mode 100644 Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml diff --git a/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDDELETE.yml b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDDELETE.yml new file mode 100644 index 00000000..84ab0681 --- /dev/null +++ b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDDELETE.yml @@ -0,0 +1,158 @@ +id: BOLA_URL_REPLACE_USER_ID_DELETE +info: + name: "Exploiting BOLA by replacing URL path with User IDs for Unauthorized Access with DELETE method" + description: > + "This test involves exploiting security vulnerabilities by manipulating the URL path and substituting it with User IDs (APIs having DELETE Method). This unauthorized access allows attackers to bypass proper authorization mechanisms, potentially gaining unauthorized entry to sensitive data or functionalities. The test aims to identify and rectify weaknesses in object-level authorization, ensuring that only authorized users can access specific resources or perform certain actions within an application or system." + details: > + "In this test, attackers exploit security weaknesses by manipulating the URL path (APIs having DELETE method), substituting it with User IDs to gain unauthorized access. By doing so, they can bypass proper authorization controls, potentially accessing sensitive data or functionalities. This test helps identify and address vulnerabilities in object-level authorization, ensuring that only authorized users have legitimate access to specific resources or actions within a system or application." + impact: > + "The impact of a Broken Object Level Authorization (BOLA) test exploit can be severe, as unauthorized access to sensitive data or functionalities may compromise the confidentiality and integrity of a system. Attackers could potentially retrieve or manipulate critical information, leading to data breaches, unauthorized transactions, or even the compromise of user privacy. Addressing BOLA vulnerabilities is crucial to prevent these far-reaching consequences and maintain the security and trustworthiness of the system." + category: + name: BOLA + shortName: BOLA + displayName: Broken Object Level Authorization (BOLA) + subCategory: BOLA_URL_REPLACE_USER_ID_DELETE + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint" + - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola" + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md" + - "https://cwe.mitre.org/data/definitions/284.html" + - "https://cwe.mitre.org/data/definitions/285.html" + - "https://cwe.mitre.org/data/definitions/639.html" + cwe: + - CWE-284 + - CWE-285 + - CWE-639 + cve: + - CVE-2022-34770 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +auth: + authenticated: true +api_selection_filters: + response_code: + eq: 204 + method: + eq: "DELETE" + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - not available + - not found + +wordLists: + random_ids: + source: sample_data + key: + regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" + all_apis: true + +execute: + type: multiple + requests: + - req: + - modify_url: + token_replace: + location: 1 + replace_with: ${random_ids} + - success: vulnerable + - failure: x2 + - req: + - modify_url: + token_replace: + location: 2 + replace_with: ${random_ids} + - success: vulnerable + - failure: x3 + - req: + - modify_url: + token_replace: + location: 3 + replace_with: ${random_ids} + - success: vulnerable + - failure: x4 + - req: + - modify_url: + token_replace: + location: 4 + replace_with: ${random_ids} +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + percentage_match: + lt: 10 + percentage_match_schema: + gte: 90 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - not available + - not found + - "" + - "" diff --git a/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDPATCH.yml b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDPATCH.yml new file mode 100644 index 00000000..2f5fa25e --- /dev/null +++ b/Broken-Object-Level-Authorization/BOLAURLReplaceUserIDPATCH.yml @@ -0,0 +1,158 @@ +id: BOLA_URL_REPLACE_USER_ID_PATCH +info: + name: "Exploiting BOLA by replacing URL path with User IDs for Unauthorized Access with PATCH method" + description: > + "This test involves exploiting security vulnerabilities by manipulating the URL path and substituting it with User IDs (APIs having PATCH Method). This unauthorized access allows attackers to bypass proper authorization mechanisms, potentially gaining unauthorized entry to sensitive data or functionalities. The test aims to identify and rectify weaknesses in object-level authorization, ensuring that only authorized users can access specific resources or perform certain actions within an application or system." + details: > + "In this test, attackers exploit security weaknesses by manipulating the URL path (APIs having PATCH method), substituting it with User IDs to gain unauthorized access. By doing so, they can bypass proper authorization controls, potentially accessing sensitive data or functionalities. This test helps identify and address vulnerabilities in object-level authorization, ensuring that only authorized users have legitimate access to specific resources or actions within a system or application." + impact: > + "The impact of a Broken Object Level Authorization (BOLA) test exploit can be severe, as unauthorized access to sensitive data or functionalities may compromise the confidentiality and integrity of a system. Attackers could potentially retrieve or manipulate critical information, leading to data breaches, unauthorized transactions, or even the compromise of user privacy. Addressing BOLA vulnerabilities is crucial to prevent these far-reaching consequences and maintain the security and trustworthiness of the system." + category: + name: BOLA + shortName: BOLA + displayName: Broken Object Level Authorization (BOLA) + subCategory: BOLA_URL_REPLACE_USER_ID_PATCH + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint" + - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola" + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md" + - "https://cwe.mitre.org/data/definitions/284.html" + - "https://cwe.mitre.org/data/definitions/285.html" + - "https://cwe.mitre.org/data/definitions/639.html" + cwe: + - CWE-284 + - CWE-285 + - CWE-639 + cve: + - CVE-2022-34770 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +auth: + authenticated: true +api_selection_filters: + response_code: + eq: 204 + method: + eq: "PATCH" + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - not available + - not found + +wordLists: + random_ids: + source: sample_data + key: + regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|username|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$" + all_apis: true + +execute: + type: multiple + requests: + - req: + - modify_url: + token_replace: + location: 1 + replace_with: ${random_ids} + - success: vulnerable + - failure: x2 + - req: + - modify_url: + token_replace: + location: 2 + replace_with: ${random_ids} + - success: vulnerable + - failure: x3 + - req: + - modify_url: + token_replace: + location: 3 + replace_with: ${random_ids} + - success: vulnerable + - failure: x4 + - req: + - modify_url: + token_replace: + location: 4 + replace_with: ${random_ids} +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + percentage_match: + lt: 10 + percentage_match_schema: + gte: 90 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - not available + - not found + - "" + - "" diff --git a/Broken-Object-Level-Authorization/JWTModifyBodyDELETE.yml b/Broken-Object-Level-Authorization/JWTModifyBodyDELETE.yml new file mode 100644 index 00000000..5ecfe95f --- /dev/null +++ b/Broken-Object-Level-Authorization/JWTModifyBodyDELETE.yml @@ -0,0 +1,131 @@ +id: JWT_MODIFY_BODY_DELETE +info: + name: "JWT Token Tampering: Modifying User IDs for Potential Unauthorized Access for APIs with DELETE method" + description: > + "JWT Token Tampering involves assessing security risks by identifying and modifying user IDs within tokens. By manipulating JWT tokens on jwt.io and substituting the user ID, this method aims to test the system's resilience against unauthorized access attempts (for APIs with DELETE method). The evaluation helps identify and mitigate potential vulnerabilities, ensuring the integrity of user data and overall system security." + details: > + "In this test, attackers attempt to manipulate JSON Web Tokens (JWT) by identifying user IDs and substituting them with new ones on jwt.io (for APIs with DELETE method). This method serves as a security test to gauge the system's vulnerability to unauthorized access. By evaluating the system's response to tampered JWT tokens, organizations can identify and address potential weaknesses, enhancing overall security against unauthorized data access through token manipulation." + impact: > + "The impact of this test is significant, potentially leading to unauthorized access to sensitive + user data. Successful tampering could compromise the integrity of the authentication system, + allowing attackers to access information belonging to other users. Promptly addressing and + mitigating these vulnerabilities is crucial to maintaining the security and trustworthiness + of systems relying on JWT tokens for user authentication." + category: + name: BOLA + shortName: BOLA + displayName: Broken Object Level Authorization (BOLA) + subCategory: JWT_MODIFY_BODY_DELETE + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint" + - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola" + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md" + - "https://cwe.mitre.org/data/definitions/284.html" + - "https://cwe.mitre.org/data/definitions/285.html" + - "https://cwe.mitre.org/data/definitions/639.html" + cwe: + - CWE-284 + - CWE-285 + - CWE-639 + cve: + - CVE-2022-29217 +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +auth: + authenticated: true +api_selection_filters: + request_headers: + for_one: + value: + contains_jwt: true + response_code: + eq: 204 + method: + eq: DELETE + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + private_variable_context: + gt: 0 +wordLists: + jwts: + source: sample_data + key: Authorization + location: header + all_apis: true +execute: + type: single + requests: + - req: + - jwt_replace_body: "${jwts}" +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + percentage_match: + gte: 90 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts diff --git a/Broken-Object-Level-Authorization/JWTModifyBodyPATCH.yml b/Broken-Object-Level-Authorization/JWTModifyBodyPATCH.yml new file mode 100644 index 00000000..c64ca698 --- /dev/null +++ b/Broken-Object-Level-Authorization/JWTModifyBodyPATCH.yml @@ -0,0 +1,131 @@ +id: JWT_MODIFY_BODY_PATCH +info: + name: "JWT Token Tampering: Modifying User IDs for Potential Unauthorized Access for APIs with PATCH method" + description: > + "JWT Token Tampering involves assessing security risks by identifying and modifying user IDs within tokens. By manipulating JWT tokens on jwt.io and substituting the user ID, this method aims to test the system's resilience against unauthorized access attempts (for APIs with PATCH method). The evaluation helps identify and mitigate potential vulnerabilities, ensuring the integrity of user data and overall system security." + details: > + "In this test, attackers attempt to manipulate JSON Web Tokens (JWT) by identifying user IDs and substituting them with new ones on jwt.io (for APIs with PATCH method). This method serves as a security test to gauge the system's vulnerability to unauthorized access. By evaluating the system's response to tampered JWT tokens, organizations can identify and address potential weaknesses, enhancing overall security against unauthorized data access through token manipulation." + impact: > + "The impact of this test is significant, potentially leading to unauthorized access to sensitive + user data. Successful tampering could compromise the integrity of the authentication system, + allowing attackers to access information belonging to other users. Promptly addressing and + mitigating these vulnerabilities is crucial to maintaining the security and trustworthiness + of systems relying on JWT tokens for user authentication." + category: + name: BOLA + shortName: BOLA + displayName: Broken Object Level Authorization (BOLA) + subCategory: JWT_MODIFY_BODY_PATCH + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint" + - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola" + - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md" + - "https://cwe.mitre.org/data/definitions/284.html" + - "https://cwe.mitre.org/data/definitions/285.html" + - "https://cwe.mitre.org/data/definitions/639.html" + cwe: + - CWE-284 + - CWE-285 + - CWE-639 + cve: + - CVE-2022-29217 +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +auth: + authenticated: true +api_selection_filters: + request_headers: + for_one: + value: + contains_jwt: true + response_code: + eq: 204 + method: + eq: PATCH + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + private_variable_context: + gt: 0 +wordLists: + jwts: + source: sample_data + key: Authorization + location: header + all_apis: true +execute: + type: single + requests: + - req: + - jwt_replace_body: "${jwts}" +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + percentage_match: + gte: 90 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts diff --git a/Cross-Site-Scripting/BasicXSSDELETE.yml b/Cross-Site-Scripting/BasicXSSDELETE.yml new file mode 100644 index 00000000..79b91322 --- /dev/null +++ b/Cross-Site-Scripting/BasicXSSDELETE.yml @@ -0,0 +1,64 @@ +id: BASIC_XSS_DELETE +info: + name: "XSS by changing request parameters with DELETE HTTP method" + description: "XSS by changing request parameters with the DELETE HTTP method exploits the flexibility of DELETE requests, which partially update server resources. Attackers manipulate input parameters in the DELETE request body or URL to inject malicious scripts. If the server improperly sanitizes this input, the payload is stored or reflected, leading to Cross-Site Scripting (XSS). This method targets dynamic web applications that handle user-modifiable content without robust validation." + details: "This vulnerability arises when applications allow partial resource updates but fail to validate input parameters properly. Attackers craft DELETE requests with malicious scripts in fields like JSON payloads or query parameters. If the application stores or reflects the payload without sanitization, it can execute in a victim's browser. This technique is particularly potent in APIs and dynamic applications with user-modifiable content." + impact: "The impact of this test includes unauthorized script execution in users' browsers, leading to data theft, session hijacking, or account compromise. Attackers can deface web pages, spread malware, or escalate privileges by exploiting trust in the vulnerable application. In severe cases, it may also enable lateral movement within the target system, threatening overall application security." + category: + name: XSS + shortName: XSS + displayName: Cross-site scripting (XSS) + subCategory: BASIC_XSS_DELETE + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://owasp.org/www-community/attacks/xss/" + cwe: + - CWE-79 + cve: + - CVE-2022-34196 + - CVE-2023-44764 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +api_selection_filters: + response_code: + gte: 200 + lt: 300 + + method: + contains_either: + - "DELETE" + + + response_payload: + contains_either: + - + + request_payload: + for_one: + key: + regex: .* + extract: body_param_key + +execute: + type: single + requests: + - req: + - modify_body_param: + body_param_key: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + +validate: + response_payload: + contains_all: + - "" + - + response_code: + eq: 204 diff --git a/Cross-Site-Scripting/BasicXSSPATCH.yml b/Cross-Site-Scripting/BasicXSSPATCH.yml new file mode 100644 index 00000000..661f6c7f --- /dev/null +++ b/Cross-Site-Scripting/BasicXSSPATCH.yml @@ -0,0 +1,64 @@ +id: BASIC_XSS_PATCH +info: + name: "XSS by changing request parameters with PATCH HTTP method" + description: "XSS by changing request parameters with the PATCH HTTP method exploits the flexibility of PATCH requests, which partially update server resources. Attackers manipulate input parameters in the PATCH request body or URL to inject malicious scripts. If the server improperly sanitizes this input, the payload is stored or reflected, leading to Cross-Site Scripting (XSS). This method targets dynamic web applications that handle user-modifiable content without robust validation." + details: "This vulnerability arises when applications allow partial resource updates but fail to validate input parameters properly. Attackers craft PATCH requests with malicious scripts in fields like JSON payloads or query parameters. If the application stores or reflects the payload without sanitization, it can execute in a victim's browser. This technique is particularly potent in APIs and dynamic applications with user-modifiable content." + impact: "The impact of this test includes unauthorized script execution in users' browsers, leading to data theft, session hijacking, or account compromise. Attackers can deface web pages, spread malware, or escalate privileges by exploiting trust in the vulnerable application. In severe cases, it may also enable lateral movement within the target system, threatening overall application security." + category: + name: XSS + shortName: XSS + displayName: Cross-site scripting (XSS) + subCategory: BASIC_XSS_PATCH + severity: HIGH + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://owasp.org/www-community/attacks/xss/" + cwe: + - CWE-79 + cve: + - CVE-2022-34196 + - CVE-2023-44764 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +api_selection_filters: + response_code: + gte: 200 + lt: 300 + + method: + contains_either: + - "PATCH" + + + response_payload: + contains_either: + - + + request_payload: + for_one: + key: + regex: .* + extract: body_param_key + +execute: + type: single + requests: + - req: + - modify_body_param: + body_param_key: '%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + +validate: + response_payload: + contains_all: + - "" + - + response_code: + eq: 204 diff --git a/Improper Inventory Management/OldApiVersionDELETE.yml b/Improper Inventory Management/OldApiVersionDELETE.yml new file mode 100644 index 00000000..c6d63bfa --- /dev/null +++ b/Improper Inventory Management/OldApiVersionDELETE.yml @@ -0,0 +1,114 @@ +id: OLD_VERSION_API_TEST_DELETE +info: + name: "Old API Version Test for detecting shadow APIs with DELETE method" + description: "This test involves evaluating legacy API versions with DELETE method to identify and address any shadow APIs—those that are not documented or officially sanctioned but still in use. This test helps ensure that deprecated or unauthorized APIs do not pose security risks or cause inconsistencies within the system. By detecting and managing shadow APIs, organizations can maintain better control over their API landscape and improve overall security and compliance." + details: "This test is a process where outdated API versions with DELETE method are examined to uncover shadow APIs—unauthorized or undocumented endpoints that may be in use within a system. This testing typically involves scanning for old API endpoints and analyzing their usage patterns to ensure they don't bypass current security measures or introduce vulnerabilities. By identifying these hidden APIs, organizations can take corrective actions to secure their systems and maintain accurate API documentation and control." + impact: "The impact of this test is significant for system security and compliance. Detecting and managing shadow APIs helps prevent unauthorized access, reduce security risks, and ensure that outdated endpoints do not compromise the integrity of the system. By addressing these hidden APIs, organizations can enhance their security posture, improve data protection, and ensure that all APIs adhere to current policies and standards." + category: + name: IIM + shortName: Improper Inventory Management + displayName: Improper Inventory Management (IIM) + subCategory: OLD_VERSION_API_TEST_DELETE + severity: CRITICAL + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/ + - https://www.akto.io/blog/3-new-ways-to-detect-improper-api-inventory-owasp-api9-2023 + - https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa9-improper-inventory-management.md + cwe: + - CWE-1059 + cve: + - CVE-2022-3203 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +api_selection_filters: + response_code: + eq: 204 + method: + eq: "DELETE" + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + url: + regex: v([2-9]\d*|\d{2,})/ +execute: + type: single + requests: + - req: + - modify_url: + regex_replace: + regex: v([2-9]\d*|\d{2,})/ + replace_with: v1/ +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + url: + endpoint_in_traffic_context: false + +strategy: + insertVulnApi: true diff --git a/Improper Inventory Management/OldApiVersionPATCH.yml b/Improper Inventory Management/OldApiVersionPATCH.yml new file mode 100644 index 00000000..8c96dedf --- /dev/null +++ b/Improper Inventory Management/OldApiVersionPATCH.yml @@ -0,0 +1,114 @@ +id: OLD_VERSION_API_TEST_PATCH +info: + name: "Old API Version Test for detecting shadow APIs with PATCH method" + description: "This test involves evaluating legacy API versions with PATCH method to identify and address any shadow APIs—those that are not documented or officially sanctioned but still in use. This test helps ensure that deprecated or unauthorized APIs do not pose security risks or cause inconsistencies within the system. By detecting and managing shadow APIs, organizations can maintain better control over their API landscape and improve overall security and compliance." + details: "This test is a process where outdated API versions with PATCH method are examined to uncover shadow APIs—unauthorized or undocumented endpoints that may be in use within a system. This testing typically involves scanning for old API endpoints and analyzing their usage patterns to ensure they don't bypass current security measures or introduce vulnerabilities. By identifying these hidden APIs, organizations can take corrective actions to secure their systems and maintain accurate API documentation and control." + impact: "The impact of this test is significant for system security and compliance. Detecting and managing shadow APIs helps prevent unauthorized access, reduce security risks, and ensure that outdated endpoints do not compromise the integrity of the system. By addressing these hidden APIs, organizations can enhance their security posture, improve data protection, and ensure that all APIs adhere to current policies and standards." + category: + name: IIM + shortName: Improper Inventory Management + displayName: Improper Inventory Management (IIM) + subCategory: OLD_VERSION_API_TEST_PATCH + severity: CRITICAL + tags: + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/ + - https://www.akto.io/blog/3-new-ways-to-detect-improper-api-inventory-owasp-api9-2023 + - https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa9-improper-inventory-management.md + cwe: + - CWE-1059 + cve: + - CVE-2022-3203 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: FAST + + +api_selection_filters: + response_code: + eq: 204 + method: + eq: "PATCH" + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + url: + regex: v([2-9]\d*|\d{2,})/ +execute: + type: single + requests: + - req: + - modify_url: + regex_replace: + regex: v([2-9]\d*|\d{2,})/ + replace_with: v1/ +validate: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + url: + endpoint_in_traffic_context: false + +strategy: + insertVulnApi: true diff --git a/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml b/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml new file mode 100644 index 00000000..6c41e227 --- /dev/null +++ b/Injection-Attacks/TimeBasedNoSQLiJSONParamDELETE.yml @@ -0,0 +1,145 @@ +id: TIME_BASED_NOSQLI_JSON_PARAM_DELETE +info: + name: "Time based NoSQL Injection test for JSON body Parameters with Javascript on APIs having DELETE method" + description: > + "Time-based NoSQL injection testing for JSON body parameters involves inserting payloads with time-based logic into JSON data sent in requests (APIs having DELETE method). By causing intentional delays in how the NoSQL database processes these inputs, attackers can observe response times to detect vulnerabilities. This testing method helps uncover weaknesses in how the application handles and interprets JSON body parameters, revealing potential security risks in NoSQL queries." + details: > + "In time-based NoSQL injection testing for JSON body parameters, testers inject payloads designed to introduce delays or time-based operations within the JSON data (APIs having DELETE method). By analyzing how the database's response time varies with different inputs, they can determine if the application is vulnerable to such injections. This approach helps identify flaws in how JSON body parameters are processed and validated, highlighting potential security vulnerabilities in the handling of NoSQL queries." + impact: > + "The impact of time-based NoSQL injection on JSON body parameters can lead to severe security issues, such as unauthorized access or manipulation of data (APIs having DELETE method). Attackers might exploit response delays to infer sensitive information or disrupt application performance. This vulnerability can compromise data integrity, reveal internal logic, and potentially allow for broader exploitation or denial-of-service attacks." + category: + name: INJECT + shortName: Injection Attacks + displayName: Injection Attacks (INJECT) + subCategory: TIME_BASED_NOSQLI_JSON_PARAM_DELETE + severity: MEDIUM + tags: + - Injection Attack + - OWASP Top 10 + - HackerOne Top 10 + references: + - "https://github.com/Charlie-belmer/nosqli" + - "https://owasp.org/www-community/Injection_Flaws" + cwe: + - CWE-943 + - CWE-89 + cve: + - CVE-2020-35847 + - CVE-2021-22911 + - CVE-2023-28359 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: SLOW + + +api_selection_filters: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + + method: + contains_either: + - DELETE + request_payload: + for_one: + key: + regex: .* + extract: changed_body_key + value: + regex: .* + extract: changed_body_value + +wordLists: + timeBasedPayloads: + - ";sleep(5000);" +execute: + type: multiple + requests: + - req: + - add_header: + dummyKey: dummyVal + - validate: + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - cloudflare + - + - + - success: x2 + - failure: exit + - req: + - modify_body_param: + changed_body_key: ${changed_body_value}${timeBasedPayloads} + - validate: + response_code: + eq: 429 +validate: + and: + - compare_greater: + - ${x2.response.stats.median_response_time} + - 5001 + - compare_greater: + - ${x2.response.stats.median_response_time} + - ${x1.response.stats.median_response_time} * 5 diff --git a/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml b/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml new file mode 100644 index 00000000..a8c940d8 --- /dev/null +++ b/Injection-Attacks/TimeBasedNoSQLiJSONParamPATCH.yml @@ -0,0 +1,145 @@ +id: TIME_BASED_NOSQLI_JSON_PARAM_PATCH +info: + name: "Time based NoSQL Injection test for JSON body Parameters with Javascript on APIs having PATCH method" + description: > + "Time-based NoSQL injection testing for JSON body parameters involves inserting payloads with time-based logic into JSON data sent in requests (APIs having PATCH method). By causing intentional delays in how the NoSQL database processes these inputs, attackers can observe response times to detect vulnerabilities. This testing method helps uncover weaknesses in how the application handles and interprets JSON body parameters, revealing potential security risks in NoSQL queries." + details: > + "In time-based NoSQL injection testing for JSON body parameters, testers inject payloads designed to introduce delays or time-based operations within the JSON data (APIs having PATCH method). By analyzing how the database's response time varies with different inputs, they can determine if the application is vulnerable to such injections. This approach helps identify flaws in how JSON body parameters are processed and validated, highlighting potential security vulnerabilities in the handling of NoSQL queries." + impact: > + "The impact of time-based NoSQL injection on JSON body parameters can lead to severe security issues, such as unauthorized access or manipulation of data (APIs having PATCH method). Attackers might exploit response delays to infer sensitive information or disrupt application performance. This vulnerability can compromise data integrity, reveal internal logic, and potentially allow for broader exploitation or denial-of-service attacks." + category: + name: INJECT + shortName: Injection Attacks + displayName: Injection Attacks (INJECT) + subCategory: TIME_BASED_NOSQLI_JSON_PARAM_PATCH + severity: MEDIUM + tags: + - Injection Attack + - OWASP Top 10 + - HackerOne Top 10 + references: + - "https://github.com/Charlie-belmer/nosqli" + - "https://owasp.org/www-community/Injection_Flaws" + cwe: + - CWE-943 + - CWE-89 + cve: + - CVE-2020-35847 + - CVE-2021-22911 + - CVE-2023-28359 + +attributes: + nature: INTRUSIVE + plan: PRO + duration: SLOW + + +api_selection_filters: + response_code: + eq: 204 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + + method: + contains_either: + - PATCH + request_payload: + for_one: + key: + regex: .* + extract: changed_body_key + value: + regex: .* + extract: changed_body_value + +wordLists: + timeBasedPayloads: + - ";sleep(5000);" +execute: + type: multiple + requests: + - req: + - add_header: + dummyKey: dummyVal + - validate: + response_code: + gte: 200 + lt: 300 + response_payload: + length: + gt: 0 + not_contains: + - Error + - Internal Server + - Failed + - Unauthorized + - access denied + - Forbidden + - Method Not allowed + - Gateway timeout + - request timeout + - server error + - server busy + - authentication error + - authorization error + - validation error + - Permission Denied + - invalid token + - token expired + - session expired + - session timeout + - unexpected error + - unable to process request + - bad request + - service unavailable + - account is locked + - account is blocked + - multiple failed attempts + - failure + - cloudflare + - + - + - success: x2 + - failure: exit + - req: + - modify_body_param: + changed_body_key: ${changed_body_value}${timeBasedPayloads} + - validate: + response_code: + eq: 429 +validate: + and: + - compare_greater: + - ${x2.response.stats.median_response_time} + - 5001 + - compare_greater: + - ${x2.response.stats.median_response_time} + - ${x1.response.stats.median_response_time} * 5