API Attacks 1.3 Challenge Exercise

Hi,

I’ve completed API Attacks 1.2, moved on to 1.3 but had difficulty yesterday in finishing it.

I’ve done the first questions of 1.3 and now on the second question.

This is the next day now so I assume the lab has been reset?

When I try to make the tester account (successfully)… I can’t login in with those details like I did yesterday.

But I know with this course there’s a lot of playing around with cookies, so I don’t know if there is something else at play here?

1 Like

I’ve completed 1.3 task1 and task2, though I’m having a similar behaviour on task3. anyways for task2:

- Seach for the GET method /community/api/v2/community/posts/recent
- Get a user email to crack down phone number, for example robot001@example.com
  • Turn on “Intercept is on” on the Proxy Intercept.
    • Send message, and look at the JSON Web Tokes
  • Change the “alg”:
  • Change the email to “sub”:
  • Send the api message

On task3, I went and reset the lab multiple times (lab restart), and noticed that ever so often I login once with test user and if I log out or try to login with firefox for example, I get the similar behaviour as unable to login like you.

I’ve since reset the lab, and able to get vehicle endpoints, but not able to manipulate the vehicle id on two different endpoints for the target of exploitation (TOE).
if you get to task3 and can provide pointers, I’m sure they would be greatly appreciated for the learning experience

image

Same here, I skipped for now and going to recircle.

1 Like

went to next lab, not working right so went back to this one, it just hit me they said (Notice that it uses a vehicle ID?) once you get your lab back read through it again and look at what you found previously.

hmmm…I know that we were looking for the vehicleid/carid, but the problem was that I was able to log in as user@example.com, but when I was was probing around like in the “refresh location”, I don’t know what was causing my repeated http request to cause 502 errors and if I tried to refresh the page for it to require to re login, but would not be able to as I would get the “Invalid Username or Password”. I wish and should have taken better notes on the behavior…but once I was able to grag the trophy latitude/longitude, I moved on.

This is what I think I did to get my trophies:

  1. Login with the Test Account:
    • Log in to crAPI using the test credentials:
    Email: test@example.com
    Password: Test!123
    • Capture the login request and response in BurpSuite. You’ll need the JWT token later for authenticated requests.

  2. Locate Your Own Vehicle’s Coordinates:
    • Once logged in, navigate to the Vehicle Details page in the crAPI application (this is usually accessible from the dashboard).
    • You’ll find a “Refresh Location” button on the Vehicle Details page. Click this button and capture the request in BurpSuite.

  3. Capture the Vehicle Location API Request:
    • In BurpSuite, look for the API request sent when the “Refresh Location” button is clicked.
    • Note the vehicle_id used in the request. This ID corresponds to your own vehicle.

  4. Exploit the BOLA Vulnerability:
    • To exploit BOLA, replace your vehicle’s ID in the API request with the vehicle_id of another user, such as Adam007. In previous exercises, you captured email addresses from the Community page, which may also include associated vehicle_id fields.
    • Modify the request in BurpSuite Repeater or directly through Intercept.
    • Replace {adam007_vehicle_id} with the vehicle ID you captured for Adam007 (or another community user).

  5. Send the Modified Request:
    • With BurpSuite, send the modified request. Since the server is not properly checking if you’re authorized to access the vehicle_id of another user, it should return the location coordinates for Adam007’s vehicle.

  6. Retrieve the Vehicle Location Coordinates:

For anyone stuck on this, I did manage to do it, but I can’t quite remember exactly how.

What @OZcool has said looks legit though!