Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  1. Pentesting
  2. WEP-Pen
  3. API-Pen

Improper Assets Management

PreviousBroken Function Level AuthorizationNextMass Assignment

Last updated 6 months ago

Discovery

  • Explore API Documentation: Review API documentation to pinpoint parameters tied to account properties, crucial functions, and admin actions. This can reveal areas of potential risk in asset management.

  • Intercept Requests and Responses: Use tools like Burp Suite to intercept API traffic. Inspect parameters and responses to spot any that may need further testing.

  • Parameter Guessing and Fuzzing: Experiment with parameters that accept user input, focusing on those that could affect account variables or allow manipulation during account creation and editing.

Testing Procedure

Follow these steps to test for Improper Asset Management vulnerabilities:

1. Baseline Versioning Information

  • Understand the API’s versioning by examining paths, headers, and parameters. Track supported production versions (e.g., v1, v2, v3).

  • In Postman, create a test to detect status code 200, verifying successful responses for baseline comparison.

2. Run an Unauthenticated Baseline Scan

  • Conduct an unauthenticated scan on the API collection using Postman’s Collection Runner.

  • Save responses to establish a baseline and for further analysis.

3. Review and Analyze

  • Examine the unauthenticated scan results to understand how the API responds across different versioning.

  • Look for anomalies in behavior or access control.

4. Collection Version Replacement

  • Use the "Find and Replace" function to convert version-specific details into variables within Postman for flexibility in testing multiple versions (e.g., v1, v2, v3).

5. Set Environment Variables

  • Add a Postman variable called "ver" and set its initial value to v1.

  • Update this variable to test other versions, such as mobile, internal, test, uat, and observe responses.

6. Collection Runner with Version Variables

  • Run the collection with different version values, checking for inconsistencies in response.

  • Note any unexpected responses for non-existent paths, particularly if they result in 200 OK statuses, which may signal asset management issues.

7. Identify and Investigate Anomalies

  • Review differences in responses, especially in critical actions like password resets, across versions.

  • Investigate specific endpoints for potential weaknesses, such as unlimited password reset attempts or open OTP validation paths

Impact Analysis and Brute Force Testing

  1. Impact Assessment: Gauge the potential impact, such as whether an API version allows excessive attempts for password resets without restriction.

  2. Brute Force with WFuzz: Use WFuzz to test parameters like OTP validation.

    wfuzz -d '{"email":"hapihacker@email.com", "otp":"FUZZ","password":"NewPassword1"}' \
-H 'Content-Type: application/json' \
-z file,/usr/share/wordlists/SecLists-master/Fuzzing/4-digits-0000-9999.txt \
-u http://crapi.apisec.ai/identity/api/auth/v2/check-otp --hc 500

    • Look for unauthorized access indicators in successful brute force responses.

Brute Force Review

  • Analyze brute force outcomes for any unauthorized access capabilities. Confirm if the vulnerability could allow unapproved actions.

Authenticated User Testing

  • Run the tests again as an authenticated user to ensure consistency and rule out unexpected behavior in protected API versions.