Skip to content

Commit

Permalink
README.md file is updated
Browse files Browse the repository at this point in the history
  • Loading branch information
Erdemstar committed Aug 17, 2023
1 parent 120d2fc commit f8f9f34
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 24 deletions.
118 changes: 96 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,33 +1,107 @@

# VulnerableApp4APISecurity

Merhabalar,
This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10. This project has been developed to be used as an example project while explaining API Security and to easily generate attack scenarios while companies are trying the products they test to ensure API Security. In addition, Mongo was used as the database in the project, and it was developed considering Clean Architecture and Solid Principles as much as possible.

**The project will be examined under the following headings.**

- 1 - Vulnerabilities
- 2 - Run
- 2.1 - Running via IDE
- 2.2 - Running from Container
- 2.3 - Running from Docker-compose
- 2.4 - Running from Kubernetes
- 3 - Dummy Traffics
- 3.1 - Available Side
- 3.2 - Updatable Side
- 4 - API Details Documentations
- 4.1 - Postman Collection
- 4.2 - Excel of API Details
- 5 - API Security Presentation

## 1 - Vulnerabilities
The vulnerabilities on the developed application are as follows. While some of these vulnerabilities can be found directly, some have been developed to find and exploit indirectly (Path/Arguments fuzzing, Brute-force/rate limit) to simulate real-life scenarios.

- **API 01:2019** — Broken object level authorization
- **API 02:2019** — Broken authentication
- **API 03:2019** — Excessive data exposure
- **API 04:2019** — Lack of resources and rate limiting
- **API 05:2019** — Broken function level authorization
- **API 06:2019** — Mass assignment
- **API 07:2019** — Security misconfiguration
- **API 08:2019** — Injection
- **API 09:2019**~~Improper Assets Management~~
- **API 10:2019** — Insufficient logging and monitoring : *soon*


## 2 - Run
Below is an explanation for running the developed application.

### 2.1 - Running via IDE
Since the project was developed with .NET 7.0, it can be run platform-independently. For this, if you have .NET 7.0 SDK and Visual Studio in terms of easy use, it will be enough for it to work and analyze.
```
git clone https://github.com/Erdemstar/VulnerableApp4APISecurity
cd VulnerableApp4APISecurity
- mouse click on reflected-xss-tag-attribute-src.sln
- devenv reflected-xss-tag-attribute-src.sln (CMD)
```
**NOTE** : When the application is up, you can use/edit the Database settings from the appsettings.json section.

### 2.2 - Running from Container
You can use one of the following images to run through the container.
```
- docker run erdemstar/vulnerableapp4apisecurity:amd64
- docker run erdemstar/vulnerableapp4apisecurity:arm64
```
**NOTE** : When the application stands up, it uses a database settings by default and makes a Mongo connection over it. If you are going to run it in a container environment, I recommend you to check this settings.

Bu repository OWASP 2019 API'da anlatılan bulguları .NET Core 3.1 API teknolojisi kullanarak geliştirildi. Bu repository hem API güvenliği üzerinde anlatım yaparken örnek bir proje olarak kullanılması hemde şirketlerin API Güvenliğini sağlamak için test ettiği ürünleri denerlerken saldırı senaryosu üretmek için kullanılması amaçlanarak üretilmiştir.
### 2.3 - Running from Docker-compose
If you want to run it directly, you can download the previously prepared docker-compose.yml file as follows and skip the installation step quickly.
```
curl https://raw.githubusercontent.com/Erdemstar/VulnerableApp4APISecurity/main/Resource/Dockercompose/docker-compose.yml > docker-compose.yml
docker-compose --compatibility up
```
**NOTE :** Here you need to choose arm64 / amd64 according to the architecture used by our environment, otherwise you may encounter errors.
### 2.4 - Running from Kubernetes
*soon*

Geliştirilen proje aşağıdaki başıklar açıklanacaktır
## 3 - Dummy Traffics
This part has been added to the developed application to generate dummy traffic. Many API Security products need clean traffic from the application before they receive attack traffic. After making sure that the project is working as expected, you can use the existing container images through the following topics or update the dummy_data.py script to generate new images.

- 1- Projenin sahip olduğu zafiyetler
- 1- Projenin ayağı kaldırılması
- IDE üzerinden ayağı kaldırılması
- Container üzerinden ayağı kaldırılması
- Docker-compose üzerinden ayağı kaldırılması
- 1- Proje üzerinde dummy trafiğin oluşturulması
- 1- Projenin sahip olduğu endpointlerin postman çıktısının incelenmesi
- 1- Projenin sahip olduğu enpointleri ve üzerindeki zafiyetlerin ifade edilmesi
### 3.1 - Available Side
Here, you can use the image to create clean traffic by choosing the one in an architecture compatible with the computer you are using, giving the following parameters.
```
- docker run erdemstar/vulnerableapp4apisecurity:dummy-amd64 <http://app-url:port> <count>
- docker run erdemstar/vulnerableapp4apisecurity:dummy-arm64 <http://app-url:port> <count>
```

To keep the script simple, the multithreading structure was not used. You can meet this need by containerizing the application and creating more than one container from the same image. :)

### 3.2 - Updatable Side
If you want to see and edit the existing script, you can see the script and the libraries it uses via the path shared below.
```
cd /VulnerableApp4APISecurity/Resource/Dummy/
```

### 1- Sahip olunan zafiyetler
**NOTE :** When the script structure is examined, it creates random "User" authorized users on the application and sends requests to their endpoints. After every 5 requests, it sends a request using the email : "[email protected]" password: "erdem" information with Admin authority. Before running the script, do not forget to create a user with the above email and password information whose Role is "Admin" on the application.

- **API 01:2019 — Broken object level authorization**
- **API 02:2019 — Broken authentication**
- **API 03:2019 — Excessive data exposure**
- **API 04:2019 — Lack of resources and rate limiting**
- **API 05:2019 — Broken function level authorization**
- **API 06:2019 — Mass assignment**
- **API 07:2019 — Security misconfiguration**
- **API 08:2019 — Injection**
## 4 - API Details Documentations
This section has been created to explain what kind of attacks can be made using the endpoints of the application after clean traffic is sent on the application.

### 1- Projenin ayağı kaldırılması
İlgil proje .NET Core 3.1 üzerinde oluşturulduğu için işletim sistemi bağımsız her ortamda ayağı kalkabilir.
### 4.1- Postman Collection
Postman collection was prepared to see the endpoints of the application and to trigger the vulnerability corresponding to OWASP API Security Top 10 by using these endpoints. You can follow the path below to reach the created collection.
```
cd /VulnerableApp4APISecurity/Resource/Postman
```
### 4.2- Excel of API Details
This section provides information about the endpoints available on the application and the OWASP API Security Top 10 vulnerabilities category that these endpoints have.
```
cd /VulnerableApp4APISecurity/Resource/Vulnerabilityinfo
```
## 5 - API Security Presentation
I created a presentation on OWASP API Security 2019 Top 10 at a Webinar I was invited to last quarter in 2022. If you wish, you can access this presentation via the path below.
```
cd /VulnerableApp4APISecurity/Resource/Presentation
```
4 changes: 2 additions & 2 deletions Resource/Dummy/dummy_data.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
class RequestHelper():

def __init__(self):
self.proxy = {"http":"http://localhost:8080"}
#self.proxy = ""
#self.proxy = {"http":"http://localhost:8080"}
self.proxy = ""

def GET(self,url,jwt:None):
if jwt is None:
Expand Down

0 comments on commit f8f9f34

Please sign in to comment.