Pentest Journeys
Connect
  • Welcome!
  • Boxes
    • Categories
    • Starting Point
      • Unified
      • Three
    • Easy
      • Forest
      • Sauna
      • Active
      • Broker
      • Return
      • Timelapse
      • Support
      • Nibbles
      • Keeper
      • CozyHosting
      • Devvortex
      • Lame
      • FunBoxEasyEnum
      • Inclusiveness
      • Potato
      • Sumo
    • Medium
      • Resolute
      • Cascade
      • Monteverde
      • Intelligence
      • StreamIO
      • Loly
    • Hard
      • Mantis
      • Blackfield
      • Reel
    • Insane
      • Sizzle
      • Multimaster
      • Rebound
  • Cloud
    • Public Snapshots
  • TL;DR
    • Active Directory
      • AD Authentication
      • Access Controls
      • Recon
      • Groups
        • Account Operators
        • Backup Operators
        • DnsAdmins
        • Exchange Windows Permissions
        • Server Operators
      • Privileges
        • SeBackupPrivilege
        • SeImpersonatePrivilege
      • Permissions
        • AddSelf
        • DCSync
        • ForceChangePassword
        • FullControl
        • GenericAll
        • GenericWrite
        • Owns
        • ReadGMSAPassword
        • ReadLAPSPassword
        • WriteDACL
        • WriteOwner
      • Attacks
        • Password Spraying
        • ASREPRoasting
        • Kerberoasting
        • Silver Tickets
        • DCSync
        • Delegation
          • Unconstrained
          • Constrained
          • Resource-Based
        • Local SAM Dump
        • NTLMv2
        • Services
        • Scheduled Tasks
        • Exploits
      • Lateral Movement
        • WMI & WinRM
        • PsExec
        • Pass-the-Hash
        • Overpass-the-Hash
        • Pass-the-Ticket
        • DCOM
        • SSP Injection
      • Persistence
        • Golden Ticket
        • Shadow Copies
    • Web
      • Common Findings
        • Security Headers
        • Cookie Flags
        • SSL/TLS
      • Authentication
        • Broken Reset Logic
        • Brute Force Attacks
        • Rate Limiting
        • Session Tokens
        • MFA
        • JWTs
      • Authorization
        • IDOR / BOLA
        • IDOR / BFLA
        • Weak Access Controls
        • Automated A-B Testing
      • Injections
        • SQLi
          • SQLi 101
          • In Band
          • Blind
          • NoSQLi
          • Second Order
          • Other
        • XSS
          • XSS 101
          • Reflected
          • Stored
          • DOM-Based
          • Exploitation
          • Payloads
        • CI
          • CI
          • Filters
          • Examples
        • SSTI
          • SSTI 101
          • Twig
          • Freemarker
          • Pug
          • Jinja
          • Mustache
          • Handlebars
          • Mako
          • Case Study: Craft CMS
        • XXEI
          • XML 101
          • XXEI
      • File Inclusion
        • LFI & RFI
        • RCE
      • Cross-Origin
        • Cross-Origin 101
        • CSRF
        • CORS
      • File Uploads
      • Mass Assignment
      • WebSockets
      • Open Redirects
      • Race Conditions
      • SSRF
        • Exploitation
        • Examples
    • API
      • What is an API?
      • Useful Terms
      • Collection Creation
      • Enumeration
      • Tests
        • General
        • Security Misconfigurations
        • Authorization
          • BOLA
          • BFLA
        • Authentication
          • BFAs
          • Tokens
          • JWTs
            • Entropy Analysis
            • Signature Validation
            • Weak Signature
            • Header Injection
            • Algorithm Confusion
        • Excessive Data Exposure
        • HTTP Verb Tampering
        • Content Type Tampering
        • Improper Asset Management
        • Mass Assignment
        • SSRF
        • Unrestriced Resource Consumption
        • Unrestricted Access to Sensitive Business Flows
        • Unsafe API Consumption
    • Infra
      • Windows
      • Linux
      • FreeBSD
    • Pivoting
      • Networking 101
      • Port Foward
      • SSH Tunelling
      • Deep Packet Inspection
        • HTTP Tunneling
        • DNS Tunneling
    • Social Engineering
      • Phising
    • Cloud
      • AWS
        • Recon
    • Code Review
  • Tools
    • Web
      • Web Checklist
      • API
        • mitmweb
        • KiteRunner
        • Arjun
        • jwt_tool
      • Dirbusting
        • Fuff
        • Dirsearch
        • GoBuster
        • Wfuzz
      • Cloud
        • AWS
      • cURL
      • Hydra
      • Hakrawler
      • amass
      • WAFs
      • WhatWeb
      • Creds
      • SQLMap
      • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • IIS
      • Frameworks
        • Spring
      • CMS
        • WordPress
        • Joomla
        • DNN
        • Umbraco
        • RiteCMS
      • DevOps
        • GitLab
        • Git Tools
      • BurpSuite
    • Infra
      • pspy
    • Port Scanners
      • Nmap
      • Rustscan
      • Arp-Scan
      • Netcat
      • PowerShell
    • Active Directory
      • netexec
      • impacket
      • mimikatz
      • Hounds
      • PowerView
      • SysInternals
      • net.exe
      • ldapsearch
      • BloodyAD
      • PowerView.py
      • Rubeus
      • DPAT
      • PingCastle
      • PowerUp
      • runas
      • Kerbrute
    • Passwords
      • HashID
      • Hashcat
      • John
      • DomainPasswordSpray
      • Credential Enum
    • Searchsploit
    • Metasploit
      • 101
      • Payloads
      • Post-Exploitation
      • Resource Scripts
    • Usernames
    • Vulnerability Scanners
      • Nuclei
      • Nikto
    • Text
      • jq
      • grep
      • awk
      • sed
      • tr
      • printf
    • Output
      • tee
    • Pivoting
      • Ligolo-ng
      • Sshuttle
    • Shells
      • Reverse Shells
      • Webshells
      • Upgrade
      • Listeners
        • Socat
        • Pwncat
        • Nc
    • Traffic Capture
    • File Transfers
    • Crypto
    • Files
    • Images
    • Evil-WinRM
    • KeePass
    • Random Scripts
  • Services
    • TCP
      • Remote Access
        • SSH (22)
        • RDP (3389)
        • WinRM (5985,5986)
      • Shares
        • FTP (21)
        • NFS (111, 2049)
        • SMB (139, 445)
      • LDAP (389, 636)
      • DNS (53)
      • SMTP (25,587)
      • DISTCC (3632)
      • AFS (1978)
      • DBMS
        • SQL
          • MSSQL (1433)
          • Oracle (1521)
          • MySQL (3306)
          • MariaDB (3306)
          • PostgreSQL (5432)
        • NoSQL
          • Aerospike (3000-3005)
          • MongoDB (27017)
    • UDP
      • SNMP (161)
  • OTHER
    • Exploits
      • Screen
    • CLIs
      • CMD
      • PowerShell
  • Package Managers
    • vevn
    • uv
  • Blue Team Stuff
    • Logs
      • System Logs
      • Apache2
      • Volatile Data
    • Traffic Analysis
      • Wireshark
Powered by GitBook
On this page
  • vAPI example
  • Testing with Postman
  • Testing with Burp
  • Testing with CLI

Was this helpful?

  1. TL;DR
  2. API
  3. Tests

Improper Asset Management

PreviousContent Type TamperingNextMass Assignment

Last updated 9 months ago

Was this helpful?

Improper Asset Management occurs when an organization fails to properly inventory, classify, or secure its assets, including hardware, software, and data.

This can lead to vulnerabilities due to unpatched software, exposed sensitive information, or loss of control over critical assets, increasing the risk of security breaches.

Maintain an up-to-date inventory of all assets, regularly assess and classify them based on sensitivity and importance, apply security patches promptly, and implement access controls and monitoring to ensure proper management and protection of assets.

vAPI example

We are interested in endpoints that include some kind of versioning, such as vAPI's API9 (v2). We can see that the v2/user/login has rate-limiting controls (Figure 1).

The below example is based on the application.

Testing for IIM requires us to check if different endpoint versions are accessible, such as beta, v1, v3, etc. For instance, the older v1 endpoint is still active and does not have rate-limiting controls like v2 (Figure 2).

The lack of rate-limiting controls makes this endpoint vulnerable to brute force attacks (Figure 3).

Testing with Postman

We can efficiently test multiple endpoints for IIM by leveraging Postman's Find and replace function and Collection Runner :

  1. Duplicate the original collection for backup purposes (Figure 3.1).

  2. Open the Find and replace function from Postman's footer (Figure 3.2).

  3. Add a test script, such as Status code: code is 200 (Figure 4.3), and open the run collection menu (Figure 4.4).

  4. Filter the desired requests & select to save the responses option (Figure 5).

  5. Review the results and dig deeper into the non-404 status codes (Figure 6).

Testing with Burp

Burp does not have an option to fuzz multiple endpoints, but we can test for IIM for GET requests with a little extra effort :

  1. Manually create an endpoint list (example code below).

  2. Configure the payload position on Intruder (Figure 7).

  3. Load the endpoint list, add a match and replace rule, and remove URL-encoding (Figure 8).

  4. Run the attack and review the results (Figure 9).

# Extracting the endpoints from the JSON postman collection file
$ cat crAPI\ -\ IIM.postman_collection.json | grep http://127.0.0.1 | awk '{print $2}' | awk -F'"' '{print $2}' > crapi_endpoints.txt

# Displaying the first 5 lines
$ head -n5 crapi_endpoints.txt
http://127.0.0.1:8888/identity/api/v1/vehicle/{{param1}}/location
http://127.0.0.1:8888/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/auth/login
http://127.0.0.1:8888/identity/api/v1/user/dashboard

# Extracting the endpoints that include versioning without the host part
$ cat crapi_endpoints.txt | grep v1 | awk -F'8888' '{print $2}' > crapi_v1_endpoints.txt

# Displaying the first 5 lines
$ head -n5 crapi_v1_endpoints.txt
/identity/api/v1/vehicle/{{param1}}/location
/identity/api/v1/vehicle/dbca29a8-ce31-4cbe-a337-27a07cc3afbf/location
/identity/api/v1/user/dashboard
/identity/api/v1/user/dashboard
/identity/api/v1/user/videos/convert_video

Testing with CLI

We could also use CLI tools, such as ffuf, to check for IIM for GET requests adopting a similar process as with Burp (Figure 10).

ffuf -u http://127.0.0.1:8888FUZZ -w crapi_v2_endpoints.txt -c -fc 405

The below examples are based on the application.

crAPI
vAPI
Figure 1: The new version of vAPI has rate-limiting controls.
Figure 2: The older v1 version does not have rate-limiting controls in place.
Figure 3: Brute forcing the user's pin number leveraging the lack of rate-limiting controls.
Figure 3: Duplicating the collection & configuring the find and replace function.
Figure 4: Adding a default test script & preparing to run the collection.
Figure 5: Selecting requests & saving responses.
Figure 6: Reviewing the runner's results.
Figure 7: Configuring payload's position.
Figure 8: Improting the endpoint list and configure its processing.
Figure 9: Reviewing the attack's results.
Figure 10: Testing for IIM with CLI tools.