See the instructions file attached for details instructions for this project. To
See the instructions file attached for details instructions for this project. To successfully complete your project on modern web-based API security principles, you will need to follow the instructions provided for finding the flags. Here’s a structured approach based on the information given: FIND FLAG 1-7 AND SEE THE INSTRUCTOINS FILE FOR SUBMISSION INSTRUCTIONS THANKS ( the zip file has everything for flags after you set up vm you follow the zipfile attached instructions)
Setup Instructions
Virtual Machine Access:Download the VM from the provided link: CS6035-Fall-2024-RC2.ova.
Ensure you have VirtualBox 7.0.18 or higher installed.
Log into the VM using the credentials:Username: apisec
Password: Chris_Cornell
Starting the API:Open a terminal in the VM.
Run the command:
bash
./StartContainer.sh
Access the Swagger documentation by navigating to http://localhost:5001/swagger/index.html in Chrome.
Required Header:Make sure to include your GATECH_ID as a required header in your API calls.
Flag Collection
You will need to find and submit flags based on specific tasks outlined below.
FLAG 1: Swagger Intro (10 pts)
Create a new programming language named “SpaceScript++”.
Write a review titled “A Galactic Odyssey in Code, enhanced” with a rating of 4 by reviewer “Kara Thrace”.
Reply to this review as “Gaius Baltar” with the text “Fascinating, but lacks a certain logical coherence.”
Delete the programming language to reveal your flag.
FLAG 2: Stolen Credentials (15 pts)
Use Swagger to find an endpoint for creating new reviewers.
Look for credentials related to a recent data breach and use them to obtain an auth token.
Use this token to create a new reviewer with username “daylight” and full name “Day Light”.
FLAG 3: JWT Intro (15 pts)
Call the “flag3token” GET API to get your JWT token.
Parse the token and use its values to create a payload.
POST this payload back to the “flag3token” API.
FLAG 4: Hack JWTs – #1 (15 pts)
Use your credentials as “python_guru1” and password “The_sql_injection_vulnerabilities_are_false” to get your token.
Modify this token to gain moderator privileges and delete bad PHP reviews.
FLAG 5: Hack JWTs – #2 (20 pts)
Obtain a normal JWT token using username “Jackson5587” and password “Blasphemy2”.
Attempt to access top-secret programming languages by modifying your token with an additional claim.
FLAG 6: Hack JWTs – #3 (15 pts)
Retrieve a weak JWT token from the flag6token API.
Analyze and decrypt the weak key, then use it to access restricted APIs.
FLAG 7: Broken Access Control (10 pts)
Find an API that provides user details.
Use this information to reset an admin user’s password, allowing access to their account.
Submission Instructions
Collect all flags you retrieve into a JSON format as specified:
json
{
“flag1”: “”,
“flag2”: “”,
“flag3”: “”,
“flag4”: “”,
“flag5”: “”,
“flag6”: “”,
“flag7”: “”
}
Save this JSON file as project_apisecurity.json in your VM.