Skip to content

Satz-N-Sentry/FUTURE_CS_03

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
evidence/FUTURE_CS_03_Evidence
evidence/FUTURE_CS_03_Evidence
 
 
reports
reports
 
 
screenshots
screenshots
 
 
README.md
README.md
 
 

Repository files navigation

FUTURE_CS_03 — API Security Risk Analysis

Target Domain Tool Framework

9 vulnerabilities across 4 OWASP API Top 10 categories — all mapped to CVE and MITRE ATT&CK.

Author

Satheesh Nithiananthan (CyberLycan) — SAIZERO Ground Zero Defence 🐺

Target

Field Details
App OWASP crAPI
URL http://localhost:8888
Auth JWT Bearer (RS256)
Scope Local Docker — Educational only

Findings

# Finding OWASP Severity
01 JWT Role in Payload + No MFA API2:2023 🔴 HIGH
02 Excessive Data Exposure — PII API3:2023 🟠 MEDIUM
03 BOLA — GPS Location Leaked API1:2023 🚨 CRITICAL
04 No Rate Limiting on Login API4:2023 🔴 HIGH
05 MFA Not Enforced API2:2023 🔴 HIGH
06 Missing CSP Header API8:2023 🔴 HIGH
07 CORS Wildcard (*) API8:2023 🔴 HIGH
08 Server Version Disclosed API8:2023 🟡 LOW
09 Weak Email Token — No Expiry API2:2023 🔴 HIGH

Key Finding — BOLA (CRITICAL)

GET /identity/api/v2/vehicle/{uuid}/location
Authorization: Bearer [User A Token]

→ Returns GPS + name + email of ANY user. No ownership check.

Tools

Postman jwt.io Mailhog Browser DevTools Docker

Tags

APISecurity OWASP crAPI BOLA JWT Postman MITRE CyberSecurity

About

API Security Risk Analysis — OWASP crAPI | 9 Vulnerabilities mapped to OWASP API Top 10, CVE, MITRE ATT&CK | SAIZERO

Topics

cybersecurity penetration-testing postman api-rest soc owasp-top-10

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors