I am having so much difficulty answering question number 2. I easily found the answer for number 1
Here is what I have tried so far. Note: I am using AI for help and the AI is not much help =(
You will have to look through the photos as I did not post them in order. It would be great to have a live chat as my skills in using burp are weak.
Yes, you should analyze the PUT request in Burp Suite and then use Burp Repeater to test potential modifications that exploit the BOLA vulnerability.
Here’s a clear breakdown of what to do:
Steps to Follow:
Analyze the PUT Request:
In Burp Suite, locate the PUT request that updates your note (/api/v2/notes/studentnote).
Look closely at the request and response, particularly the unique identifiers like _id, and any patterns that may suggest sequential or predictable values.
Identify Key Information:
Note the _id or other unique identifiers in the response.
If your current note has an identifier like studentnote1 or an _id such as 66df372d18861a08847cc6a4, think about what might be a nearby identifier (like studentnote0 or an _id that’s one number lower).
Use Burp Repeater:
Send the PUT request from the history to Burp Repeater.
In Repeater, modify the request to use the guessed identifier that is close to the one observed, such as:
Adjusting _id to one lower or higher value.
Modifying the endpoint to check /api/v2/notes/studentnote0 if your current is /studentnote1.
Send the modified request to see if it reveals a note of type "secret".
Look for the Secret Note:
Continue sending modified requests in Repeater until you successfully access a secret note.
Check the response for "type": "secret" and look for any flags.
Extract the Flag:
When you successfully retrieve a secret note, look for the flag in the note’s body or related fields.
• and any patterns that may suggest sequential or predictable values.
2. Identify Key Information:
• Note the _id or other unique identifiers in the response.
• If your current note has an identifier like studentnote1 or an _id such as 66df372d18861a08847cc6a4, think about what might be a nearby identifier (like studentnote0 or an _id that’s one number lower).
3. Use Burp Repeater:
• Send the PUT request from the history to Burp Repeater.
•
• In Repeater, modify the request to use the guessed identifier that is close to the one observed, such as:
• Adjusting _id to one lower or higher value.
• Modifying the endpoint to check /api/v2/notes/studentnote0 if your current is /studentnote1.
• Send the modified request to see if it reveals a note of type “secret”.
4. Look for the Secret Note:
• Continue sending modified requests in Repeater until you successfully access a secret note.
Looks like your AI buddy fixated on the word “identifier.” That _id value does not look especially guessable (or necessarily sequential) to me, so it’s probably not a great target.
Consider the endpoint in that PUT request: /api/v2/notes/studentnote. It looks like the note’s name value is being used to reference individual notes (where the body of the request just contains the data to update the note with). However, the name value is not especially guessable either, since it’s created by the user.
Well, what if a different value could be used to reference an individual note? The Response body should have a list of key/value pairs, and one of those values is quite small and suggestive of a sequential pattern. If you could use that value instead, and if that value is sequential, it should be pretty easy to guess the value of existing (previous) notes…
Oh, and you probably don’t want to use the PUT method, lest you blow away the flag you’re trying to retrieve from the note…
Hope this helps! I’ve also updated the Challenge prompts, which were a little confusing. They should now do a better job of pushing you in the right direction.
I’ve done these many times. We identify a different value through that PUT request and this is the point of updating our notes. One thing that I really don’t get it, is that once we found that different value, how to use it and retrieve the secret note? We can’t use PUT method, so we should use one of those GET method (modifying the url or whatever), am I right? If so, how to do that, because I’ve done that and got nothing. I was wondering if you could do a favor and tell me what I’m missing!
Thanks!
As for the Task: once you’ve identified the predictable value (and the right method, as you seem to have figured out), you want to see if that value can be used (in place of the note’s name) to access an individual note. So, if the value you identified in the response can be used to access that same note, then you’ll probably want to try using values nearby to see if you can access other notes.
Example scenario:
You found the key/value pair “id: b” in the response
You tried using “b” instead of the note name (with the correct HTTP method) and found you can also access your note this way. Well, what if you tried “a” instead? If this value follows a sequential pattern, then a note with “id: a” probably exists.
