Projects / API Security / Flag 1: Swagger IntroThis flag will introduce you to basic API functionality using a documentation and test harness tool called Swagger. Swagger is a very popular tool used to develop and test web APIs and has plugins/modules in most programming languages. You can learn more about Swagger here: https://swagger.io/Youll need to leverage Swagger (or any other http tool you desire such as curl or Postman) to determine how the API is configured and what endpoints to invoke to earn this flag.Warning: The site doesnt use file storage or a database, all data is stored in memory. If you crash the web API or restart the VM, any data you have created/modified will have been lost and youll need to begin at step 1.To earn your flag you must perform the following actions by making API calls.Code, enhanced, rating is 4 and the reviewer is Kara Thracehttps://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag1.html 9/16/24, 11:21PM Page 1 of 2Hints:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag1.html 9/16/24, 11:21PM Page 2 of 2CS 6035Projects / API Security / Flag 2: Stolen CredentialsIn order to get this flag you need to create a new reviewer in the system. Unfortunately, the developers locked down this functionality some time ago so youll need an auth token in order to perform it. You read in the newspaper last week that Programming Reviews LLC had a big data breach so there is a good chance you can come across some credentials.To earn your flag you must perform the following actions.Hints:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag2.html 9/16/24, 11:22PM Page 1 of 2is sending back.Include your flag2 into the json file and now onto Flag 3!Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag2.html 9/16/24, 11:22PM Page 2 of 2CS 6035Projects / API Security / Flag 3: JWT IntroNow that youve used an Auth token were going to dig a bit deeper into JWT (JSON Web Tokens). This flag is simple and designed only to get you acquainted with how JWTs are constructed. There are numerous resources to help you work with JWTs, one we recommend is https://jwt.io/ but you are not required to use this site for the project. Choose any library, tool or site you wish to inspect and construct JWT tokens.To earn your flag you must perform the following actions.Hints:The next few flags will require some trial and error and a bit of research on your part tohttps://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag3.html 9/16/24, 11:22PM Page 1 of 2succeed. Your task is to craft JWT tokens such that you can use the token to successfully authenticate and earn your flag.Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag3.html 9/16/24, 11:22PM Page 2 of 2CS 6035Projects / API Security / Flag 4: Hack JWTs pt. 1You are a PHP ninja! You cant get enough of this language. When you learned that others hate it and gave it bad reviews you felt the need to correct the situation. Youve learned of an API that allows you to delete reviews. Muhahahah! The problem is that only the site moderator can do this and you dont have his credentials. This has not stopped you in the past.To earn your flag you must perform the following actions.Hints:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag4.html 9/16/24, 11:22PM Page 1 of 2Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag4.html 9/16/24, 11:22PM Page 2 of 2CS 6035Projects / API Security / Flag 5: Hack JWTs pt. 2Youve learned about a new experimental programming language that is TOP SECRET! This language only requires 1 single keyword to find a polynomial time algorithm to solve any NP-hard problem! You want the 1 million dollar reward for solving this problem and thus need access to this programming language. Find the language.To earn your flag you must perform the following actions.Hints:Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag5.html 9/16/24, 11:24PM Page 2 of 2CS 6035Projects / API Security / Flag 6: Hack JWTs pt. 3Youve been informed that the system has a weak key vulnerability that can be decrypted using a brute-force attack. The weak key corresponds to the employee ID of one of the developers who developed the code, assuming that no one could guess the employee ID.A friendly employee in the company has leaked the pattern for the employee ID number, which would consist of numeric digits and could be up to seven digits. Pass this weak key on to the flag6 API and you should get the flag.To earn your flag you must perform the following actions.Hints:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag6.html 9/16/24, 11:23PM Page 1 of 2Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag6.html 9/16/24, 11:23PM Page 2 of 2CS 6035Projects / API Security / Flag 7: Broken Access ControlLike many other systems, this one also maintains user profiles or settings. These profiles may contain sensitive information that can be exploited by malicious hackers to gain unauthorized access to restricted areas of the system. Regrettably, the access control measures for protecting APIs, which ideally should be segmented based on role-based permissions, have been compromised in this system. Your objective is to reset the password of an administrator user, thereby allowing you to log in as that user and exploit their admin access for your own entertainment and financial gain.To earn your flag you must perform the following actions.Hints:Resources:https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag7.html 9/16/24, 11:23PM Page 1 of 2Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Projects/API_Security/flag7.html 9/16/24, 11:23PM Page 2 of 2
Shopping Cart
Reviews
There are no reviews yet.