search

snoopysecurity / dvws-node

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.
GNU General Public License v3.0
442 stars 173 forks source link

Hidden API Functionality are not actually exposed #31

Closed halfluke closed 2 years ago

halfluke commented 2 years ago

/api/v2/passphrase is not exposed in the swagger file, nor dvwsuserservice (which is a SOAP API call independent from the REST API)

"Multiple API calls can be found by parsing this swagger endpoint which cannot be found by simply browsing the application. "# It's actually the other way around: this call is not in the swagger file but it is used by the application when saving a generated passphrase.

snoopysecurity commented 2 years ago

Hey thanks for raising this issue. Yeah the solution doc is wrong, its actually the below two requests that you should be able to find by parsing the swagger file which you won't see when browsing the application.

GET /api/v1/info HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close

GET /api/v2/users HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json; charset=utf-8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dvws.local/api-docs/
Connection: close

I've updated the docs https://github.com/snoopysecurity/dvws-node/wiki/Hidden-API-Functionality-Exposure I've also added the passphrase API calls to swagger, if you clone and test the latest version, you wont see this issue. thanks

halfluke commented 2 years ago

Thanks!