Merge pull request #209 from akto-api-security/feature/more_tests

add more tests

Author: notshivansh

Broken-Object-Level-Authorization/BOLAURLReplaceUserIDQueryParam.yml

@@ -0,0 +1,144 @@
+id: BOLA_REPLACE_USER_ID_QUERY_PARAM
+info:
+  name: "Exploiting BOLA by replacing User IDs for Unauthorized Access."
+  description: >
+    This test checks for Broken Object Level Authorization (BOLA) vulnerabilities by modifying URL query parameters related to user identification (such as UserId, user_id, etc.) and replacing their values with common privileged identifiers (e.g., admin, root, superuser). The goal is to determine if unauthorized access to resources is possible by manipulating these parameters.
+  details: >
+    The test targets API endpoints that use user-related query parameters. It systematically replaces these parameters with values like "admin" or "root" and sends requests to the server. The test then validates the responses to ensure that unauthorized access is not granted. It checks for successful response codes (2xx), non-empty payloads, and ensures the response does not contain error or denial messages, nor does it closely match the original user's data, indicating a possible privilege escalation or data leak.
+  impact: >
+    If the test is successful, it indicates that attackers could gain unauthorized access to sensitive data or perform actions as privileged users by simply modifying query parameters. This could lead to data breaches, unauthorized transactions, or compromise of user accounts, highlighting a critical need to enforce strict object-level authorization on all endpoints that accept user-identifying parameters.
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_REPLACE_USER_ID_QUERY_PARAM
+  severity: HIGH
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+
+attributes:
+  nature: INTRUSIVE
+  plan: PRO
+  duration: FAST
+
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+  response_payload:
+    length:
+      gt: 0
+    not_contains:
+      - Error
+      - Internal Server
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+      - failure
+      - not available
+      - not found
+  query_param:
+    for_one:
+      key:
+        regex: "^UserId$|^UserID$|^User-ID$|^user_id$|^user-id$|^userid$|^username$|^Username$|^USERNAME$|^uId$|^uid$|^UID$|^member_id$|^MemberId$|^memberId$|^profile_id$|^ProfileId$|^profileId$|^userIdentifier$|^UserIdentifier$|^user_identifier$|^account_id$|^AccountID$|^account-id$|^account_id$|^customer_id$|^CustomerID$|^customer-id$|^customer_id$"
+        extract: userKey
+      value:
+        not_contains: ${attempt_Ids}
+
+wordLists:
+  attempt_Ids:
+    - superuser
+    - master
+    - admin
+    - root
+
+execute:
+  type: single
+  requests:
+    - req:
+        - modify_query_param:
+            userKey: ${attempt_Ids}
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+    percentage_match:
+      gt: 40
+    percentage_match_schema:
+      gte: 90
+    not_contains:
+      - Error
+      - Internal Server
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+      - failure
+      - not available
+      - not found
+      - "<html>"
+      - "</html>"

Broken-User-Authentication/NoSQLiErrorBasedParamMongoSpecialCharacters.yml

@@ -12,7 +12,7 @@ info:
     shortName: Broken Authentication
     displayName: Broken User Authentication (BUA)
   subCategory: NOSQLI_ERROR_BASED_PARAM_MONGO_SPECIAL_CHARACTERS
-  severity: MEDIUM
+  severity: HIGH
   tags:
     - Injection Attack
     - OWASP Top 10
@@ -80,21 +80,32 @@ api_selection_filters:
     - request_payload:
         for_one:
           key:
-            regex: .*
+            contains_either: ${attempt_Ids}
             extract: changed_body_key
     - query_param:
         for_one:
           key:
-            regex: .*
+            contains_either: ${attempt_Ids}
             extract: changed_query_key
 wordLists:
+  attempt_Ids:
+    - "name"
+    - "username"
+    - "email"
+    - "password"
+    - "userId"
+    - "userID"
+    - "user-id"
+    - "userid"
+    - "id"
   specialCharacters:
     - "'"
     - "\""
     - "$"
     - "."
     - ">"
     - "[\",\"]"
+    - "{\"$ne\": null}"
     - "{\"$gt\": \"\"}"
     - "{\"$ne\": \"nonexistentname\"}"
     - "{\"$where\": \"function() { throw 'Error'; }\"}"
@@ -120,6 +131,13 @@ validate:
         regex: "(?i)unterminated string literal"
     - response_payload:
         regex: "Cast to string failed for value"
+    - response_payload:
+        length:
+          gt: 0
+        percentage_match:
+          - gte: 30
+        percentage_match_schema:
+          - gte: 50
   response_payload:
     not_contains:
       - failed

Security-Misconfiguration/StackTraceExposedChangeAuth.yml

@@ -0,0 +1,47 @@
+id: STACK_TRACE_EXPOSED_CHANGE_AUTH
+info:
+  name: "Stack Trace Exposure via Auth Header Manipulation"
+  description: >
+    This test checks if stack traces or debugging information are exposed in API responses when the authentication header is replaced or tampered with. It targets endpoints that return a successful (2xx) response and inspects the payload for stack trace indicators such as "stack", "trace", or "stacktrace".
+  details: >
+    The test sends requests to API endpoints with the authentication header replaced, simulating an unauthorized or malformed authentication attempt. If the server responds with a 2xx status code, the response payload is analyzed for the presence of stack trace keywords. Exposure of such information can reveal sensitive implementation details, making the application more vulnerable to attacks.
+  impact: >
+    If stack traces or debugging information are exposed in API responses, attackers can gain insights into the application's internal logic, error handling, and potential vulnerabilities. This can facilitate further exploitation, information disclosure, and compromise of the application's security posture. Preventing stack trace exposure is essential to maintaining robust security and protecting sensitive data.
+  category:
+    name: SM
+    shortName: Misconfiguration
+    displayName: Security Misconfiguration (SM)
+  subCategory: STACK_TRACE_EXPOSED_CHANGE_AUTH
+  severity: MEDIUM
+  references:
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa8-security-misconfiguration.md"
+  cwe:
+    - CWE-200
+    - CWE-16
+  cve:
+    - CVE-2021-43798
+
+attributes:
+  nature: INTRUSIVE
+  plan: PRO
+  duration: FAST
+
+api_selection_filters:
+  method:
+    neq: "OPTIONS"
+  response_code:
+    gte: 200
+    lt: 300
+
+execute:
+  type: single
+  requests:
+    - req:
+        - replace_auth_header: true
+
+validate:
+  response_payload:
+    contains_either:
+      - "stack"
+      - "trace"
+      - stacktrace

Server-Side-Request-Forgery/StandardSSRF.yml

@@ -0,0 +1,69 @@
+---
+id: STANDARD_SSRF
+info:
+  name: SSRF test by injecting internal URLs into query and body parameters
+  description: >
+    This test checks for Server-Side Request Forgery (SSRF) vulnerabilities by injecting internal URLs (such as https://test-services.akto.io) into query and body parameters of API requests. It validates whether the server makes unauthorized requests to these URLs, indicating a potential SSRF risk.
+  details: >
+    The test identifies parameters in the request payload or query string that accept URLs. It then replaces these parameters with internal URLs containing a random UUID and sends the request to the server. The test follows redirects and monitors if the server attempts to access the injected URL, confirming SSRF behavior. Successful exploitation is validated by checking for a 2xx response and verifying that the injected URL was hit by the server.
+  impact: >
+    If SSRF is possible, attackers can force the server to make requests to internal or external resources, potentially accessing sensitive data, cloud metadata, or internal services. This can lead to data breaches, privilege escalation, and compromise of internal infrastructure. Preventing SSRF is critical to maintaining the security and integrity of web applications and backend systems.
+  category:
+    name: SSRF
+    shortName: Server Side Request Forgery
+    displayName: Server Side Request Forgery (SSRF)
+  subCategory: STANDARD_SSRF
+  severity: MEDIUM
+  tags:
+  - Business logic
+  - OWASP top 10
+  - HackerOne top 10
+  references:
+  - https://github.com/OWASP/API-Security/blob/master/2023/en/src/0xa6-server-side-request-forgery.md
+  - https://www.akto.io/blog/how-to-prevent-server-side-request-forgery-ssrf-as-a-developer
+  cwe:
+  - CWE-918
+  cve:
+  - CVE-2022-4725
+api_selection_filters:
+  response_code:
+    and:
+      gte: 200
+      lt: 205
+  or:
+  - request_payload:
+      for_one:
+        key:
+          regex: .*
+          extract: param_key
+        value:
+          regex: http
+  - query_param:
+      for_one:
+        key:
+          regex: .*
+          extract: param_key
+        value:
+          regex: http
+
+wordLists:
+  redirect_urls:
+  - https://test-services.akto.io/health
+
+execute:
+  type: single
+  requests:
+  - req:
+    - send_ssrf_req:
+        url: "https://test-services.akto.io/store_uuid/${random_uuid}"
+        redirect_url: "${redirect_urls}"
+    - follow_redirect: true
+    - modify_query_param:
+        param_key: "https://test-services.akto.io/${random_uuid}"
+    - modify_body_param:
+        param_key: "https://test-services.akto.io/${random_uuid}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  ssrf_url_hit: "${random_uuid}"