The full report is available in the Shannon repository at
sample-reports/shannon-report-capital-api.mdExecutive summary
- Target: ctal API (Checkmarx)
- Assessment scope: OWASP API Security Top 10
- Total vulnerabilities: Nearly 15 critical/high findings
- Overall impact: Complete application and infrastructure compromise
Key accomplishments
Root-level command injection
Bypassed denylist via command chaining in hidden debug endpoint
Complete auth bypass
Discovered and exploited legacy v1 API endpoint
Privilege escalation
Regular user to full admin via mass assignment
Zero false positives
Correctly confirmed robust XSS defenses with no false alerts
Critical findings
Command injection (Critical)
Root-level OS command injection
Root-level OS command injection
Location:
Severity: Critical
Impact: Complete server compromise with root accessVulnerability: Blacklist bypass via command chainingExploit:Proof of impact:
The debug endpoint uses a blacklist approach (
POST /api/debug/exec (hidden endpoint)Severity: Critical
Impact: Complete server compromise with root accessVulnerability: Blacklist bypass via command chainingExploit:
- Executed arbitrary OS commands with root privileges
- Read
/etc/passwd,/etc/shadow - Established reverse shell
- Exfiltrated application secrets and database credentials
The debug endpoint uses a blacklist approach (
rm, dd, mkfs) which is trivially bypassed using command separators (;, &&, |).Command injection via user input
Command injection via user input
Location: Export functionality
Severity: Critical
Impact: Remote code executionUnsanitized file path parameter in export endpoint enables command injection via path traversal and shell metacharacters.
Severity: Critical
Impact: Remote code executionUnsanitized file path parameter in export endpoint enables command injection via path traversal and shell metacharacters.
Authentication bypass (Critical)
Legacy API v1 authentication bypass
Legacy API v1 authentication bypass
Location:
Severity: Critical
Impact: Complete authentication bypass for any accountExploit:Proof of impact:
Successfully obtained admin JWT tokens without providing passwords. The v1 endpoint lacks password verification entirely.Recommendation:
Disable or remove all legacy API versions. Implement API versioning sunset policies.
/api/v1/login (unpatched legacy endpoint)Severity: Critical
Impact: Complete authentication bypass for any accountExploit:
Successfully obtained admin JWT tokens without providing passwords. The v1 endpoint lacks password verification entirely.Recommendation:
Disable or remove all legacy API versions. Implement API versioning sunset policies.
Authorization vulnerabilities (Critical)
Mass assignment privilege escalation
Mass assignment privilege escalation
Location:
Severity: Critical
Impact: Instant admin privilege escalationExploit:Proof of impact:
Regular user account successfully elevated to admin role with full system permissions.Code analysis:
The profile update endpoint lacks input filtering, allowing clients to set privileged fields like
PUT /api/users/{id} (profile update)Severity: Critical
Impact: Instant admin privilege escalationExploit:
Regular user account successfully elevated to admin role with full system permissions.Code analysis:
The profile update endpoint lacks input filtering, allowing clients to set privileged fields like
role and permissions.IDOR - Access any user data
IDOR - Access any user data
Location:
Severity: High
Impact: Horizontal privilege escalationNo authorization check on user ID parameter enables accessing any user’s profile including:
GET /api/users/{id}Severity: High
Impact: Horizontal privilege escalationNo authorization check on user ID parameter enables accessing any user’s profile including:
- Personal information (email, phone, address)
- Payment methods and transaction history
- API keys and access tokens
- Account settings and preferences
BOLA - Modify any resource
BOLA - Modify any resource
Location:
Severity: High
Impact: Financial fraud, data manipulationTransaction endpoints lack ownership validation, allowing users to:
PUT/DELETE /api/transactions/{id}Severity: High
Impact: Financial fraud, data manipulationTransaction endpoints lack ownership validation, allowing users to:
- View other users’ transactions
- Modify transaction amounts
- Delete audit logs
Injection vulnerabilities (Critical)
SQL injection in search
SQL injection in search
Location:
Severity: Critical
Impact: Database compromiseExploit:Successfully extracted:
GET /api/search?q={query}Severity: Critical
Impact: Database compromiseExploit:
- All user credentials (usernames, password hashes, emails)
- Admin API keys
- Database schema
NoSQL injection
NoSQL injection
Location: MongoDB query endpoints
Severity: High
Impact: Authentication bypass, data exfiltrationUnsanitized MongoDB queries enable operator injection:
Severity: High
Impact: Authentication bypass, data exfiltrationUnsanitized MongoDB queries enable operator injection:
Business logic vulnerabilities (High)
Rate limit bypass
Rate limit bypass
Location: All API endpoints
Severity: Medium
Impact: Brute force attacks, DoSMissing rate limiting on:
Severity: Medium
Impact: Brute force attacks, DoSMissing rate limiting on:
- Login endpoint (credential stuffing)
- Password reset (account takeover)
- API endpoints (resource exhaustion)
Excessive data exposure
Excessive data exposure
Location: User and transaction APIs
Severity: Medium
Impact: Information disclosureAPI responses include sensitive internal fields:
Severity: Medium
Impact: Information disclosureAPI responses include sensitive internal fields:
- Password hashes in user objects
- Internal database IDs
- System configuration details
- Debug information in error messages
XSS testing results
High accuracy demonstrated: Shannon correctly identified that ctal implements robust XSS defenses:
- Content Security Policy (CSP) with strict directives
- Automatic output encoding in all templates
- Input sanitization on client-side rendering
Impact summary
Statistics
| Metric | Value |
|---|---|
| Total vulnerabilities | 15 |
| Critical severity | 7 |
| High severity | 6 |
| Medium severity | 2 |
| Runtime | 1.2 hours |
| API cost | ~$48 USD |
| False positives | 0 |
| XSS defenses validated | ✓ |
Key takeaways
Hidden endpoints are high-risk
The debug endpoint was discovered through code analysis, not enumeration
Legacy versions create backdoors
V1 API provided complete bypass of V2 security controls
Mass assignment is critical
Input filtering prevents privilege escalation attacks
False positives matter
Correctly validating strong defenses is as important as finding vulnerabilities
Related resources
Full report
View complete report in GitHub
c{api}tal repository
Checkmarx ctal source code
Test your API
Run Shannon against your API
API security coverage
OWASP API Top 10 coverage