๊ธ€ ์ž‘์„ฑ์ž: heogi

Broken API Authorization

(https://medium.com/bugbountywriteup/bug-bounty-broken-api-authorization-d30c940ccb42)[https://medium.com/bugbountywriteup/bug-bounty-broken-api-authorization-d30c940ccb42]

ํ•ด๋‹น๊ธ€์„ ์ดํ•ดํ•˜๊ธฐ ์œ„ํ•œ ๋ชฉ์ ์œผ๋กœ ์ž‘์„ฑ๋œ ๊ธ€์ž…๋‹ˆ๋‹ค.

 


"Authenticate"๋ผ๋Š” ๋ฒ„ํŠผ์ด ์กด์žฌํ–ˆ๊ณ  ํด๋ฆญํ•˜๋ฉด ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€๋กœ ์ด๋™ํ–ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ๋กœ๊ทธ์ธ์„ ์‹œ๋„ํ•˜๋‹ˆ "Account not authorized" ๋ผ๋Š” ๋ฉ”์‹œ์ง€๊ฐ€ ๋‚˜์™”๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋‹ค์Œ๊ณผ ๊ฐ™์€ endnpoint๋“ค์ด ์กด์žฌํ–ˆ๋‹ค.

 

/poweruser/add
/poweruser/delete
/user/delete
/user/create
/user/user_logged_in
/user/profile

๋ช‡๋ช‡ endpoint๋“ค์€ ๋‚ด๋ถ€ ์‚ฌ์šฉ์ž๋‚˜ ๊ถŒํ•œ์žˆ๋Š” ์‚ฌ์šฉ์ž๋ฅผ ์œ„ํ•œ๊ฒƒ๊ฐ™์•˜๋‹ค.

 

API token์„ ์ฐพ์„์ˆ˜ ์—†์—ˆ๊ธฐ์— ๋‚˜์ค‘์— ํ™•์ธํ•˜๊ธฐ๋กœํ–‡๋‹ค.
ํ•˜์ง€๋งŒ ์‚ฌ์ดํŠธ๋ฅผ ์—ด์‹ฌํžˆ ๋’ค์ ธ๋ณด์•„๋„ ์—ฌ์ „ํžˆ request๋‚˜ response์—์„œ API token์„ ์ฐพ์„ ์ˆ˜ ์—†์—ˆ๋‹ค.
๋‹ค์‹œ ์ž์„ธํžˆ ์‚ดํŽด๋ณด๋‹ˆ ๋งŽ์€ request์—์„œ Bearer token์„ ์‚ฌ์šฉํ•˜๋Š”๊ฒƒ์„ ์•Œ์•„์ฑ˜๋‹ค.

๊ทธ๋ž˜์„œ header๋ฅผ ๋ณต์‚ฌํ•ด์„œ ๋‹ค๋ฅธ๊ณ„์ •์„ ๋งŒ๋“ค์–ด ํŒจ์Šค์›Œ๋“œ๋ฅผ ๋ณ€๊ฒฝํ•˜๋Š” /user/edit api๋ฅผ ํ˜ธ์ถœํ–ˆ๋‹ค.

 

'๐ŸŒWeb' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Web Server vs WAS(Web Application Server)  (0) 2023.09.29
AeroCTF - Localization is hard  (0) 2023.08.13
RCE via Server-Side Template Injection  (0) 2023.08.13
[KVE-2020-1616] ๊ทธ๋ˆ„๋ณด๋“œ ๋ฉ”์ธํ™”๋ฉด XSS ์ทจ์•ฝ์   (0) 2023.08.13
SSTI(Server Side Template Injection)  (0) 2022.01.29

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”