Objective: Gain Unauthorized Access/Disrupt API
+-------------------------------------------------+
| Gain Unauthorized Access/Disrupt API (Goal) |
+-------------------------------------------------+
/ \
----------------------------------------- -----------------------------------------
| |
+---------------------+ +---------------------+
| Exploit Auth Flaws |[HIGH RISK] | Exploit Input Valid |[HIGH RISK]
+---------------------+ +---------------------+
| |
--------+-------- --------+--------
| |
+-------+ +-------+[!]
| Bypass|[CRITICAL] |Inject |
|Auth | |Invalid|
|Checks | |Data |
+-------+ +-------+
| |
|... |...
|
+-------+ +-------+
|JWT |[HIGH RISK] |Missing|[HIGH RISK]
|Manip. | |Valid. |
| | | |
+-------+ +-------+
\ /
----------------------------------------- -----------------------------------------
| | | |
+---------------------+ +---------------------+ +-------+ +-------+
| Exploit Error Handl | | | | | | |
+---------------------+ | | | | | |
| | | |
--------+-------- --------+-------- --------+--------
| | | | | |
+-------+[CRITICAL]| +-------+[!] +-------+ +-------+ +-------+ +-------+
|Leak | |Trigger| | | | | | | | |
|Sensit.| |DoS via| | | | | | | | |
|Info | |Error | | | | | | | | |
+-------+ +-------+ +-------+ +-------+ +-------+ +-------+
| |
+-------+ +-------+
|Missing| |Un- |
|Handl. | |handled|
| | |Except.|
+-------+ +-------+
Attack Tree Path: Exploit Authentication Flaws [HIGH RISK]
- Bypass Authentication Checks [CRITICAL]
- Description: The attacker attempts to access protected API endpoints without providing valid credentials or by circumventing the authentication process altogether.
- Attack Vectors:
- JWT Manipulation [HIGH RISK]:
- Forging JWTs: Creating JWTs without the correct secret key. This requires knowledge of the JWT structure and potentially the algorithm used.
- Altering Existing JWTs: Modifying the payload of a valid JWT (e.g., changing the user ID or roles) to gain unauthorized access. This requires intercepting a valid token.
- Exploiting Weak JWT Validation: Taking advantage of misconfigurations in the JWT validation process, such as not verifying the signature, expiration, or issuer.
- "None" Algorithm Attack: Exploiting a severe misconfiguration where the
algheader in the JWT is set to "none," allowing unsigned tokens to be accepted.
- JWT Manipulation [HIGH RISK]:
Attack Tree Path: Exploit Input Validation [HIGH RISK]
- Inject Invalid Data
- Description: The attacker sends malformed or unexpected data to the API, aiming to cause errors, bypass security checks, or execute malicious code.
- Attack Vectors:
- Missing Validation [HIGH RISK]:
- Description: The API fails to properly validate input parameters, allowing attackers to send arbitrary data. This is a fundamental flaw that enables many other attacks.
- Consequences: Can lead to SQL injection, NoSQL injection, command injection, XSS, and other vulnerabilities, depending on how the unvalidated data is used.
- Missing Validation [HIGH RISK]:
Attack Tree Path: Exploit Error Handling
-
Leak Sensitive Information [CRITICAL] * Description: The attacker triggers errors in the API that reveal sensitive information, such as database credentials, internal file paths, API keys, or stack traces. * Attack Vectors:
- Missing Handling: If
dingo/api's error handling is not properly configured, detailed error messages (including stack traces, database queries, or internal file paths) might be returned to the attacker. - Verbose Error Messages: Even with custom error handlers, the application might inadvertently include sensitive information in error responses.
- Missing Handling: If
-
Trigger DoS via Error
- Description: The attacker crafts requests designed to trigger errors that consume excessive server resources or cause the application to crash.
- Attack Vectors:
- Unhandled Exceptions: If the API doesn't properly handle exceptions, a single malicious request could crash the entire API or application.
- Resource Exhaustion on Error: If error handling logic itself consumes significant resources (e.g., excessive logging), the attacker can trigger errors to exhaust resources.