pro tests added

Author: arjun-akto

Broken-Function-Level-Authorization/BFLAReplaceAdminURLPaths.yml

@@ -0,0 +1,115 @@
+id: BFLA_REPLACE_ADMIN_IN_URL_PATHS
+info:
+  name: "Broken Function Level Authorization - Vertical Privilege Escalation test by replacing URL subpaths with admin keyword for new URL path identification"
+  description: >
+    "In this test, attackers manipulate URL paths by replacing URL subpaths with "admin" keywords to access privileged functionalities. This tactic aims to bypass access controls and gain unauthorized entry to administrative features or sensitive data. By exploiting this  vulnerability, attackers can escalate their privileges within the  system and potentially compromise its security."
+  details: >
+    In this test, attackers exploit weaknesses in function level authorization by replacing URL subpaths with keywords like "admin" to access privileged functionalities. By replacing specific subpaths, they attempt to bypass access controls and gain unauthorized entry to administrative features or sensitive areas of the application. This tactic aims to escalate privileges within the system, potentially compromising its security and allowing for unauthorized access to critical resources."
+  impact: >
+    "The impact of this test can be significant. Attackers can exploit this vulnerability to gain unauthorized access to privileged functionalities, leading to data breaches, system compromise, and unauthorized actions. This can result in the exposure of sensitive information, compromise of user accounts, and damage to the organization's reputation and trust."
+
+  category:
+    name: BFLA
+    shortName: Broken Function Level Authorization
+    displayName: Broken Function Level Authorization (BFLA)
+  subCategory: BFLA_REPLACE_ADMIN_IN_URL_PATHS
+  severity: HIGH
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa5-broken-function-level-authorization.md"
+  cwe:
+    - CWE-285
+  cve:
+    - CVE-2022-48341
+attributes:
+  nature: INTRUSIVE
+  plan: PRO
+  duration: FAST
+
+
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+  response_payload:
+    length:
+      gt: 0
+    contains_all:
+      - "{"
+      - "}"
+execute:
+  type: multiple
+  requests:
+    - req:
+        - modify_header:
+            ${roles_access_context.MEMBER}: 1
+        - modify_url:
+            token_replace:
+              location: 1
+              replace_with: "admin"
+        - success: vulnerable
+        - failure: x2
+    - req:
+        - modify_header:
+            ${roles_access_context.MEMBER}: 1
+        - modify_url:
+            token_replace:
+              location: 2
+              replace_with: "admin"
+        - success: vulnerable
+        - failure: x3
+    - req:
+        - modify_header:
+            ${roles_access_context.MEMBER}: 1
+        - modify_url:
+            token_replace:
+              location: 3
+              replace_with: "admin"
+        - success: vulnerable
+        - failure: x4
+    - req:
+        - modify_header:
+            ${roles_access_context.MEMBER}: 1
+        - modify_url:
+            token_replace:
+              location: 4
+              replace_with: "admin"
+        - success: vulnerable
+        - failure: x5
+    - req:
+        - modify_header:
+            ${roles_access_context.MEMBER}: 1
+        - modify_url:
+            token_replace:
+              location: 5
+              replace_with: "admin"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  url:
+    endpoint_in_traffic_context: false
+  response_payload:
+    length:
+      gt: 0
+    percentage_match:
+      lt: 10
+    percentage_match_schema:
+      gte: 90
+    not_contains:
+      - <html>
+      - </html>
+      - "unable"
+      - "fail"
+      - invalid
+    contains_all:
+      - "{"
+      - "}"

Broken-Object-Level-Authorization/BOLAAddCustomHeader.yml

@@ -0,0 +1,143 @@
+id: BOLA_ADD_CUSTOM_HEADER
+info:
+  name: "Exploiting BOLA by adding Custom Header for Unauthorized Access."
+  description: >
+    "In this exploitation scenario, attackers target Broken Object Level Authorization (BOLA)  by adding custom headers to their requests, attempting to gain unauthorized access.  By manipulating request headers, adversaries seek to exploit weaknesses in authorization  mechanisms, potentially bypassing security controls. This method underscores the need  for thorough security assessments, emphasizing the importance of secure header handling  and robust access controls to mitigate the risks associated with unauthorized access and  BOLA vulnerabilities."
+  details: >
+    "Attackers exploit Broken Object Level Authorization (BOLA) by adding custom headers to  their requests, attempting unauthorized access. Manipulating headers aims to exploit  vulnerabilities in the system's authorization mechanisms, highlighting the need for  robust security assessments and secure header handling. Thorough security measures  are essential to prevent unauthorized access, addressing the risks associated with  BOLA vulnerabilities and custom header manipulation."
+  impact: >
+    "Exploiting Broken Object Level Authorization by adding custom headers can have a profound  impact, potentially leading to unauthorized access and compromise of sensitive data.  Successful manipulation may enable malicious actions within the system, emphasizing  the critical need for stringent security measures, robust access controls, and  secure handling of custom headers to prevent and mitigate the risks associated with
+    Broken Object Level Authorization vulnerabilities."
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_ADD_CUSTOM_HEADER
+  severity: HIGH
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+attributes:
+  nature: NON_INTRUSIVE
+  plan: PRO
+  duration: FAST
+
+
+inactive: true
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    neq: "OPTIONS"
+  response_payload:
+    length:
+      gt: 0
+    not_contains:
+      - Error
+      - Internal Server
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+wordLists:
+  headerValues:
+    source: sample_data
+    key:
+      regex: X-User-ID|Customer|Member|Client|Account|Subscriber|User-Hash
+    location: header
+    all_apis: true
+execute:
+  type: multiple
+  requests:
+    - req:
+        - add_header:
+            X-User-ID: "${headerValues}"
+        - add_header:
+            X-Customer-ID: "${headerValues}"
+        - add_header:
+            X-Member-ID: "${headerValues}"
+        - add_header:
+            X-Client-ID: "${headerValues}"
+        - add_header:
+            X-Account-ID: "${headerValues}"
+        - add_header:
+            X-Subscriber-ID: "${headerValues}"
+        - add_header:
+            X-User-Hash: "${headerValues}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      gt: 0
+    percentage_match_schema:
+      gte: 90
+    percentage_match:
+      lt: 10
+    not_contains:
+      - Error
+      - Internal Server
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+      - "<html>"
+      - "</html>"

Broken-Object-Level-Authorization/BOLAAddCustomHeaderDELETE.yml

@@ -0,0 +1,136 @@
+id: BOLA_ADD_CUSTOM_HEADER_DELETE
+info:
+  name: "Exploiting BOLA by adding Custom Header for Unauthorized Access for DELETE method APIs"
+  description: >
+    "In this exploitation scenario for DELETE method APIs, attackers target Broken Object Level Authorization (BOLA) by adding custom headers to their requests, attempting to gain unauthorized access. By manipulating request headers, adversaries seek to exploit weaknesses in authorization  mechanisms, potentially bypassing security controls. This method underscores the need for thorough security assessments, emphasizing the importance of secure header handling and robust access controls to mitigate the risks associated with unauthorized access and BOLA vulnerabilities."
+  details: >
+    "Attackers exploit Broken Object Level Authorization (BOLA) by adding custom headers to their requests (having DELETE HTTP method), attempting unauthorized access. Manipulating headers aims to exploit vulnerabilities in the system's authorization mechanisms, highlighting the need for robust security assessments and secure header handling. Thorough security measures  are essential to prevent unauthorized access, addressing the risks associated with BOLA vulnerabilities and custom header manipulation."
+  impact: >
+    "Exploiting Broken Object Level Authorization by adding custom headers can have a profound impact, potentially leading to unauthorized access and compromise of sensitive data. Successful manipulation may enable malicious actions within the system, emphasizing the critical need for stringent security measures, robust access controls, and secure handling of custom headers to prevent and mitigate the risks associated with Broken Object Level Authorization vulnerabilities."
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_ADD_CUSTOM_HEADER_DELETE
+  severity: CRITICAL
+  tags:
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+attributes:
+  nature: INTRUSIVE
+  plan: PRO
+  duration: FAST
+
+
+inactive: true
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    eq: DELETE
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+wordLists:
+  headerValues:
+    source: sample_data
+    key:
+      regex: X-User-ID|Customer|Member|Client|Account|Subscriber|User-Hash
+    location: header
+    all_apis: true
+execute:
+  type: single
+  requests:
+    - req:
+        - add_header:
+            X-User-ID: "${headerValues}"
+        - add_header:
+            X-Customer-ID: "${headerValues}"
+        - add_header:
+            X-Member-ID: "${headerValues}"
+        - add_header:
+            X-Client-ID: "${headerValues}"
+        - add_header:
+            X-Account-ID: "${headerValues}"
+        - add_header:
+            X-Subscriber-ID: "${headerValues}"
+        - add_header:
+            X-User-Hash: "${headerValues}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server
+      - Fail
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts