+254 704 052992

api security

See the instructions file attached for details instructions for this project. To successfully complete your project on modern web-based API security principles, you will need to follow the instructions provided for finding the flags. Heres a structured approach based on the information given: FIND FLAG 1-7 AND SEE THE INSTRUCTOINS FILE FOR SUBMISSION INSTRUCTIONS THANKS ( the zip file has everything for flags after you set up vm you follow the zipfile attached instructions)

Setup Instructions

  1. Virtual Machine Access:
    • Download the VM from the provided link: .
    • Ensure you have VirtualBox 7.0.18 or higher installed.
    • Log into the VM using the credentials:
      • Username: apisec
      • Password: Chris_Cornell
  2. Starting the API:
    • Open a terminal in the VM.
    • Run the command:

bash

./StartContainer.sh

  • Access the Swagger documentation by navigating to in Chrome.
  1. Required Header:
    • Make sure to include your GATECH_ID as a required header in your API calls.

Flag Collection

You will need to find and submit flags based on specific tasks outlined below.

FLAG 1: Swagger Intro (10 pts)

  • Create a new programming language named “SpaceScript++”.
  • Write a review titled A Galactic Odyssey in Code, enhanced with a rating of 4 by reviewer “Kara Thrace”.
  • Reply to this review as “Gaius Baltar” with the text Fascinating, but lacks a certain logical coherence.
  • Delete the programming language to reveal your flag.

FLAG 2: Stolen Credentials (15 pts)

  • Use Swagger to find an endpoint for creating new reviewers.
  • Look for credentials related to a recent data breach and use them to obtain an auth token.
  • Use this token to create a new reviewer with username “daylight” and full name “Day Light”.

FLAG 3: JWT Intro (15 pts)

  • Call the flag3token GET API to get your JWT token.
  • Parse the token and use its values to create a payload.
  • POST this payload back to the flag3token API.

FLAG 4: Hack JWTs – #1 (15 pts)

  • Use your credentials as “python_guru1” and password “The_sql_injection_vulnerabilities_are_false” to get your token.
  • Modify this token to gain moderator privileges and delete bad PHP reviews.

FLAG 5: Hack JWTs – #2 (20 pts)

  • Obtain a normal JWT token using username “Jackson5587” and password “Blasphemy2”.
  • Attempt to access top-secret programming languages by modifying your token with an additional claim.

FLAG 6: Hack JWTs – #3 (15 pts)

  • Retrieve a weak JWT token from the flag6token API.
  • Analyze and decrypt the weak key, then use it to access restricted APIs.

FLAG 7: Broken Access Control (10 pts)

  • Find an API that provides user details.
  • Use this information to reset an admin user’s password, allowing access to their account.

Submission Instructions

  1. Collect all flags you retrieve into a JSON format as specified:

json

{

“flag1”: “”,

“flag2”: “”,

“flag3”: “”,

“flag4”: “”,

“flag5”: “”,

“flag6”: “”,

“flag7”: “”

}

  1. Save this JSON file as project_apisecurity.json in your VM.
admin

× How can I help you?