Lab 4: API Endpoint Access

Difficulty: High

Lab Overview

This lab demonstrates an IDOR vulnerability in an API system. The application allows users to access any API endpoint and resource by simply changing the endpoint and resource_id parameters without proper authorization checks.

Objective: Access unauthorized API endpoints and resources by manipulating the endpoint and resource_id parameters to view sensitive data.

Vulnerable PHP Code

// Vulnerable: No proper authorization check
$endpoint = $_GET['endpoint'] ?? 'users';
$resource_id = $_GET['resource_id'] ?? '';

// Simulate API resources
$api_resources = [
    'users' => [...],
    'orders' => [...],
    'payments' => [...],
    'analytics' => [...]
];

// Direct access without checking if user is authorized
if (isset($api_resources[$endpoint])) {
    if ($resource_id) {
        // Access specific resource
        $api_data = $api_resources[$endpoint][$resource_id];
    } else {
        // Access all resources in endpoint
        $api_data = $api_resources[$endpoint];
    }
}

// Example vulnerable usage:
// ?endpoint=users (user data)
// ?endpoint=orders (order data)
// ?endpoint=payments (payment data)
// ?endpoint=analytics (analytics data)

API Endpoint Access

API endpoint loaded successfully!

Quick Test URLs:

API Response: Payments API ACCESS

API Endpoint Data

ID: 1 | Data: { "id": 1, "user_id": 1, "order_id": 1, "amount": 99.99, "payment_method": "credit_card", "card_last4": "1234", "status": "success", "created_date": "2024-01-10" }

ID: 2 | Data: { "id": 2, "user_id": 2, "order_id": 2, "amount": 29.99, "payment_method": "paypal", "card_last4": null, "status": "pending", "created_date": "2024-01-12" }

ID: 3 | Data: { "id": 3, "user_id": 3, "order_id": 3, "amount": 299.99, "payment_method": "bank_transfer", "card_last4": null, "status": "success", "created_date": "2024-01-14" }

Vulnerability Details

Type: Insecure Direct Object Reference (IDOR)
Severity: Critical
Parameter: endpoint, resource_id
Method: GET
Issue: Direct access to API endpoints without authorization

Test Payloads

Try these endpoint values:

users - User data
orders - Order data
payments - Payment data
analytics - Analytics data

Example URLs:

4.php?endpoint=users
4.php?endpoint=orders&resource_id=1
4.php?endpoint=payments&resource_id=2
4.php?endpoint=analytics

Quick Test URLs

Click these links to test the vulnerability:

Real-World Attack Scenarios

Unauthorized access to API endpoints and resources
Access to user data, orders, and payment information
Viewing analytics and business intelligence data
Data exfiltration and unauthorized data modification
Bypassing API access controls and authorization mechanisms
Compliance violations and privacy breaches
API abuse and rate limiting bypass

Mitigation Strategies

Implement proper API authentication and authorization
Use API keys and tokens for access control
Implement proper endpoint-level permissions
Use indirect object references instead of direct resource IDs
Implement proper API rate limiting and throttling
Use whitelist-based validation for allowed endpoints
Implement proper logging and monitoring for API access