8. Broken Access Control

For APIs we can access data inside them based on some identifiers, either ids, codes, users and password.

Sending specific json instructions to the API we can access the data in there. Modifying the requests we can get different types of data and of course changing the data in some ways we can potentially gain access to something restricted as going through a normal API call.

The specific json instructions we send to a JSON API are called JSON WEB TOKENS (JWT).

JSON Web Tokens

The JWTs have three parts encrypted parts:

The Header
The Body
The Signature

Each part of a JWT is separated by a dot.

All the parts are encoded in base64url encoding. Keep in mind that is a method of encoding and not encryption. JWE or JSON Web Encryption is a different topic we would have to deal with or discuss about.

Play with APIs: https://catfacts.ninja

Read JWTs: https://jwt.io

Terminal - Decoding:

echo eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0= | base64 -d echo eyJ1c2VyIjoiamVyZW15Iiwicm9sZSI6InN0YWZmIn0= | base64 -d

REQUESTS for this chapter

POST /login.php - CREATE

curl -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "password123"}' http://localhost/labs/api/login.php

GET /account.php - READ

curl -X GET "http://localhost/labs/api/account.php?token=JWT"

PUT /account.php - UPDATE

curl -X PUT -H "Content-Type: application/json" -d '{"token": "JWT", "username":"username", "bio": "New bio information."}' http://localhost/labs/api/account.php

IDEAS

Check first if functionality is working as intended.
Check after if functionality can be broken.

Previous7. Introduction to APIs Next9. Testing with Autorize

hashtagIDEAS

IDEAS