description |
---|
API3-Broken Object Property Level Authorization (BOPLA) |
Understanding how to use API documentation is crucial for effective testing. API documentation typically includes sections like:
- Overview: Provides a high-level introduction, authentication, and rate-limiting information.
- Functionality: Describes actions using HTTP methods and endpoints.
- Request Requirements: Specifies authentication, parameters, path variables, headers, and body information.
- Path Variables: Indicated by a colon (
:
) or curly brackets ({}
) in the endpoint. Example:/user/:id
or/user/{id}
. - Optional Input: Square brackets (
[]
) indicate optional input. Example:/api/v1/user?find=[name]
. - Multiple Values: Double bars (
|
) represent different possible values. Example:"blue" | "green" | "red"
.
Understanding these conventions helps in creating well-formed requests and troubleshooting.
- Import crAPI Swagger file into Swagger Editor.
- Visualize API endpoints, parameters, request body, and example responses.
- Explore various paths and understand object key naming schemes.
- Access collection editor in Postman.
- Check and update collection variables, especially the
baseUrl
.
- Use the Authorization tab in the collection editor.
- Select the appropriate authorization type (e.g., Bearer Token).
- Obtain a Bearer Token through authentication and update the collection.
- Response includes more information than requested.
- Sensitive information is exposed.
Request
GET /api/v1/user?=CloudStrife
Response
200 OK HTTP 1.1
{"id": "5501",
"fname": "Cloud",
"lname": "Strife",
"privilege": "user",
"representative": [
{"name": "Don Coreneo",
"id": "2203",
"email": "dcorn@gmail.com",
"privilege": "admin",
"MFA": false }
]}
In this example, sensitive information about an administrator is exposed along with the requested user's information.
- Explore GET requests in crAPI Swagger.
- Check the
GET /identity/api/v2/user/dashboard
request. - Identify interesting object key names (e.g., "id", "name", "email").
- Explore other endpoints, e.g.,
GET /community/api/v2/community/posts/recent
. - Use Burp Suite's Repeater to intercept API requests and reveal sensitive information.
Understanding API documentation, conventions, and identifying excessive data exposure vulnerabilities are crucial steps in API security testing.