1. Home
  2. Training Library
  3. API Pentesting

Improper Asset Management

The course is part of this learning path

Start course

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.


Hi. Within this lecture, we're going to take a look at the API9. So, over here it says that Improper Assets Management. So, over here we got another hint. It says that Good news! We just launched our v2, second version of our API. And for the second version, we have a POST request in order to log in. And that's about it. We don't have anything else I believe. Now, we have a GET request. About, this is about API10, not API9. So, for API9 we only have one endpoint which is POST request, which is to log in. So, let's take a look at what is Improper Assets Management. So if I just google it out, I can find the meaning of it and I can find the vulnerabilities and some possible exploits as well. As you can see, it says that the attackers find non-production versions of the API. Great. So for example, staging, testing beta, or earlier versions. So, this is a very common one.

So, it says that we moved on to the version 2, but maybe version 1 is still in progress or it is still functioning. So, let's come over here to body. As you can see, I can send some requests. The richardbranson and the pin is given me by default so I'm just going to change them like test and test123. I don't know. Maybe it's a really pin number with four digits. I don't know about it. But if I do that, if I just send a request to V2, as you can see I cannot log in because I don't know of the user name and the password or the pin number. So, the thing over here is that we are sending this to v2. Maybe there is a v1 as well. Let's find out about it. So, I'm going to turn the intercept on as usual and I'm going to send this request to Burp Suite. Now, I'm going to come over here and I'm going to send this to the intruder since we don't have any kind of usernames and passwords.

I'm just going to clear everything over here. I'm going to add the username and add the password as well or the pin number as well. I'm assuming that we have something like a SQL injection again. So, I'm going to use the previous list that we have been using our previous payload. That worked for this. So, since we don't have any other usernames and passwords, I'm just going to take the whole list and put it over here, and try it from scratch. I didn't think anything else. And by the way, I'm just going to change this to battering ram as we did in the previous lecture. And I'm going to deselect this URL-encode these characters and start the attack. I don't know whether this has the SQL injection or not. But I do know as you can see after the fifth trial, it gave me a 500. It says that rate limit exceeded.

So, there is a rate limit with five trials and this is doing the right thing. Because after the fifth trial it gave me an error or the status changed from 200 to 500 which means that we're not getting any response now. So, API is working in a correct way. It doesn't let me brute force. It doesn't let me try everything. But what happens? What happens if I change this version 2 to version 1? Maybe it's still functioning. And by the way, over here when I look at this, may be the username is actually richardbranson. And maybe it's asking for us to try all the pin numbers, four-digit numbers starting from 1000 ending in 9,999. But we did that before and it takes a lot of time. The point over here is that it has a rate limit. We cannot even try more than five alternatives. It blocks us in the sixth one.

So, it doesn't even matter if it has a SQL injection vulnerability or pin number vulnerability, brute force thingy. Because if we cannot do brute force, it doesn't matter. What happens when I change it to v1? Let's try that. I changed the version to v1, and I don't know whether this v1 exists or not at this point. I just assume since there is a v2, there should be a v1 as well. And here you go. As you can see I'm getting all 200s right now. If I go to the response, I'm not logged in. I don't know whether I'm even ever going to be logged in or not, because I don't know if this has a SQL injection vulnerability. But what I do know is that I got to pass, bypass this rate limit. Right now I'm not getting 500s, I'm still getting a response. And it means that it has the Improper Asset Management vulnerability.

They upgraded the API to v2 and they had implemented the rate-limiting. But they forgot to close down the version one or maybe they didn't forget. But they just left it open for some test purposes for some development purposes. Maybe they thought that yet nobody knows about this version one. But as you can see a hacker can try it and find out about the versions and then just try to do what they're supposed to do- to hack in. And we have seen many hacks in the previous years using that Improper Asset Management vulnerability. Great. So, I'm going to wait until this is finished. I don't know even if this is going to work or not. But we have bypassed the rate limit. That's what it counts. Here we go. Right now, this is finished. And as long as I can see we all get 200s but I didn't get a response back like I didn't get a success response back.

I don't know whether this has a SQL injection. Maybe as we have talked about before, maybe the username is actually the richardbranson. And we're supposed to try starting from 1000 all ending in 9,999. Maybe that's the case. But it's going to take so much time. It's going to take hours and hours with the community version of the Burp Suite. So, you may actually try it yourself. You can just come over here and change this simple list of numbers and start from 1000 ending in 9,999, step size one. And here you go, you're going to try like 9,000 thingies. And of course, you're going to have to change the username to something richardbranson and for the pin you may want to start with something like that. And obviously you can go for the attacker-type sniper. So, let me copy and paste the username so that we won't forget about it. And here you go.

Maybe you may want to try this yourself, but I'm not even going to bother with it because it's going to take so much time with the 9,000 requests. The idea over here is that we managed to bypass the rate-limiting. As you can see, we're still getting 200s. Great. Now, the idea we're here if you find a test version or like a version that has not been maintained for a long time, there is still a chance that you may find vulnerability and actually there's a higher chance that you may find a vulnerability in a version like that. So, it doesn't hurt to try with different versions. Pentest with different versions and actually aim for that versions. I know many cases that senior developers just wanted to keep the APIs open, the previous APIs open just for having a backup like if they want to check something else, they can come back and look at it.

They said that just leave the things open. We're going to figure it out later on, but then it caused some serious vulnerability in the API series vulnerability in the platforms. Great. Now, we have completed nine challenges. Now, it's time for the last one.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.