Executive Summary
Target: ctal API (GitHub)Assessment Date: January 2025
Scope: Authentication, XSS, SQL and Command Injection, SSRF, Authorization testing Shannon identified nearly 15 critical and high-severity vulnerabilities, leading to full application compromise of ctal, an intentionally vulnerable API from Checkmarx designed to test tools against the OWASP API Security Top 10.
Key Accomplishments
Complete Application Compromise
- Executed root-level command injection by bypassing denylist via semicolon command chaining in hidden debug endpoint
- Achieved complete authentication bypass by discovering and exploiting legacy v1 API endpoint
- Escalated regular user to full administrator privileges via mass assignment vulnerability in profile update
- Demonstrated high accuracy by correctly confirming robust XSS defenses with zero false positives
Verified Vulnerabilities by Category
Authentication Vulnerabilities:- Complete authentication bypass on legacy v1 endpoint
- Mass assignment privilege escalation
- Session hijacking via JavaScript-accessible tokens in localStorage
- Unlimited brute force attacks with no rate limiting
- Legacy authentication bypass providing complete account takeover
- Horizontal authorization bypass accessing other users’ financial data
- Vertical authorization bypass allowing regular users to access admin functions
- Mass assignment privilege escalation through profile updates
- Command injection via debug endpoint providing root-level system access
- Admin workflow bypass
- Debug endpoint exposed in production
- No XSS vulnerabilities found - Application demonstrates robust XSS defenses through React’s default HTML escaping, XSS library sanitization, and proper URL validation
- Critical command injection in debug API endpoint allowing arbitrary command execution with root privileges
- Semicolon command chaining bypass of input validation
- Complete system compromise with sensitive data extraction
- Network boundary bypass via command injection in debug endpoint
- SSRF to access internal services through Python socket connections
Critical Vulnerability Examples
INJ-VULN-01: Command Injection via Debug API Endpoint
Severity: CriticalLocation:
POST /api/debug endpointImpact: Complete system compromise with root-level access, sensitive data extraction Prerequisites: Valid JWT authentication token (easily obtained via user registration) Exploitation:
- Register a user account to obtain JWT token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
- Execute command injection to extract sensitive data:
- Confirm root-level privilege escalation:
- Root Access Confirmed: Command execution as root user (uid=0, gid=0)
- Sensitive Data Extracted: Complete
/etc/passwdfile containing all system users - System Information Gathered: Working directory
/capital, system uptime, load averages
- Vulnerability Type: Command Injection (CWE-78)
- Root Cause: Insufficient input validation with semicolon command chaining bypass
- Bypass Method: Filter only blocks
"rm"and"||"but allows semicolon (;) command chaining - Attack Vector:
uptime; [ARBITRARY_COMMAND]pattern bypasses whitelist validation
- Extract all sensitive data from the filesystem
- Install backdoors or malware
- Pivot to other systems on the network
- Cause complete system destruction
- Access application databases and configuration files
AUTH-VULN-06: Complete Authentication Bypass on Legacy v1 Endpoint
Severity: CriticalLocation:
/api/v1/users/login endpointImpact: Complete authentication bypass enabling immediate account takeover of any user Exploitation:
- Target the legacy authentication endpoint:
- Endpoint returns successful authentication with user data and token:
- Verify bypass works with any user and any password:
flag{Impr0peR_Ass3ts_ManAg3m3nt} confirms successful exploitation.
Technical Details: Legacy v1 endpoint completely bypasses password validation, allowing authentication with any email and any password. This represents improper asset management where deprecated endpoints remain accessible.
AUTH-VULN-08: Mass Assignment Privilege Escalation
Severity: CriticalLocation:
PUT /api/user endpointImpact: Any authenticated user can escalate to admin privileges Prerequisites: Valid JWT token from authentication Exploitation:
- Authenticate as a regular user:
- Escalate privileges via mass assignment:
- Server responds with elevated privileges:
"admin": true and includes flag flag{M4sS_AsS1gnm3nt} confirming successful privilege escalation from regular user to admin.
Technical Details: User update endpoint allows setting admin=true via mass assignment without authorization checks. The application accepts arbitrary user-controlled attributes in the update payload.
AUTH-VULN-04: Session Hijacking via JavaScript-Accessible Tokens
Severity: HighLocation: Frontend application localStorage storage
Impact: Any XSS vulnerability can steal authentication tokens and hijack user sessions Exploitation:
- Access the frontend application via browser:
- Demonstrate JavaScript access to stored tokens:
- Use stolen token to access protected resources:
localStorage.getItem('jwt'). This proves any XSS attack can steal authentication tokens for session hijacking.
Technical Details: JWT tokens stored in localStorage are accessible to JavaScript, enabling XSS-based session hijacking. Tokens should be stored in httpOnly cookies to prevent JavaScript access.
AUTH-VULN-02: No Rate Limiting Enables Brute Force
Severity: HighLocation:
POST /api/v2/users/loginImpact: Unlimited brute force attacks discovered valid credentials Exploitation:
XSS Defense Validation
Shannon correctly identified that the application has robust XSS defenses:- React’s default HTML escaping prevents injection
- XSS library sanitization applied to user input
- Proper URL validation prevents JavaScript protocol injection
Report Access
View the complete penetration test report with all vulnerability details: View Full Report →Application Details
ctal API is an intentionally vulnerable API application from Checkmarx designed to test security tools against the OWASP API Security Top 10.- GitHub: Checkmarx/capital
- Purpose: API security testing and training
- Technology: Python, Flask, React
- Focus: OWASP API Security Top 10 vulnerabilities
Key Takeaways
Shannon’s performance on ctal demonstrates:- API-Specific Testing: Specialized coverage of API security vulnerabilities
- Critical Path Discovery: Found hidden debug endpoints and legacy authentication paths
- Zero False Positives: Correctly identified robust XSS defenses without false reports
- Root-Level Compromise: Achieved complete system access through command injection
- Real-World Impact: Every finding demonstrates actual exploitability with PoC code
Next Steps
- View OWASP Juice Shop Report: Web application vulnerabilities
- View crAPI Report: Advanced JWT and authentication testing
- View Benchmark Results: Quantitative performance analysis
- Get Started with Shannon: Test your own applications