Tryhackme: OWASP API Security Top 10–2
Task 1: Introduction
Task 2: Vulnerability VI — Mass Assignment
Is it a good practice to blindly insert/update user-provided data in the database (yea/nay)?
Answer: Nay
Using /apirule6/user_s, insert a record in the database using the credit value as 1000.
What would be the returned credit value after performing Question#2?
Answer: 50
Task 3: Vulnerability VII — Security Misconfiguration
Is it an excellent approach to show error logs from the stack trace to general visitors (yea/nay)?
Answer: Nay
Try to use the API call /apirule7/ping_s in the attached VM.
What is the HTTP response code?
Answer: 500
What is the Error ID number in the HTTP response message?
Answer: 1401
Task 4: Vulnerability VIII — Injection
Can injection attacks be carried out to extract data from the database (yea/nay)?
Answer: Yea
Can injection attacks result in remote code execution (yea/nay)?
Answer: Yea
What is the HTTP response code if a user enters an invalid username or password?
Answer: 403
Task 5: Vulnerability IX — Improper Assets Management
Is it good practice to host all APIs on the same server (yea/nay)?
Answer: Nay
Make an API call to /apirule9/v1/user/login using the username “Alice” and password “##!@#!!”.
What is the amount of balance associated with user Alice?
Answer: 100
What is the country of the user Alice?
Answer: USA
Task 6: Vulnerability X — Insufficient Logging & Monitoring
Should the API logs be publically accessible so that the attacker must know they are being logged (yea/nay)?
Answer: Nay
What is the HTTP response code in case of successful logging of user information?
Answer: 200
Task 7: Conclusion
