API2:2023 Demonstrating BUA Exploitation in crAPI

Details

Goals & objectives

Hardware & software

Solution overview

In this hands-on lab, you will explore the exploitation of Broken User Authentication (BUA) vulnerabilities within the crAPI application. This exercise is designed to provide practical experience in identifying and manipulating authentication mechanisms to gain unauthorized access. Using tools such as Burp Suite, Postman, and FoxyProxy, you will intercept and alter API calls to demonstrate the impact of BUA vulnerabilities.

Refer to the video tutorial in the next section for a detailed workflow.

Lab diagram

Goals and objectives

The primary goal of this hands-on lab is to equip participants with the skills and knowledge necessary to identify, exploit and understand Broken User Authentication (BUA) vulnerabilities within an API context.

The lab will guide you through:

1. Setting up your environment with Burp Suite and FoxyProxy:

2. Registering a new user in crAPI:

3. Intercepting and analyzing API calls:

4. Manipulating authentication tokens and credentials:

5. Exploiting common BUA weaknesses:

6. Demonstrating the potential impact of successful exploitation:

Hardware and software

1 x Windows Jumpbox (Postman 11.2.26 , Burpsuite V 2024.5.5 , FoxyProxy v8.9)

1 x Ubuntu Server (crAPI Application v1.1.5)

Contributors

Shoaib Mohammed Shahapuri

Technical Solutions Architect

Foundations Lab

Solution overview

Lab diagram

Goals and objectives

Hardware and software

Contributors