BACKGROUND:
You’ve been hired by the IPLRA (International Programming Language Review Association) to conduct a security audit for their newly released API. They are excited to finally release an API to the community for developers across the world to leverage. In fact, they see this API as a way to increase their amount of reviews by 800%. The only thing standing in their way is a final audit and approval, by you. Unfortunately, after only 5 minutes of looking at the API, you’ve found issues and need to report them. Your goal is to bring visibility to these vulnerabilities in their API by finding the flags for each scenario. Good luck on your flag hunt and we hope you enjoy learning all about modern web APIs.
Note: The IPLRA is not real and we made it up.
SETUP:
To get set up for the flags, carefully follow the steps below.
You will need switch users. Log into the VM with the following user.
The username, password and VM location are located on Canvas.
Run this at the terminal to start the API
$ ./StartContainer.sh
project_apisecurity.json is available in the /home/apisec/Desktop folder. Put all flags in this file and submit it as your final deliverable.
To access the Web API open Chrome in the VM and navigate to this URL. This is the Swagger documentation page that describes the API and allows for testing:
_*Note: You can also click the “Swagger UI” bookmark in _Chrome
******GATECH_ID IS A REQUIRED HEADER******
NOTE: This is not the Georgia Tech Username, it is the GTID that you can find using the steps in the
Be very careful! When you copy and paste be sure to strip off all leading spaces or special characters.
Submission Details:
File submission instructions:
This project needs to be submitted via gradescope. Navigate to the course in Canvas, click ‘Gradescope’, click ‘Project API Security’ and submit there.
The contents of the submission file should be the following. There is a project_apisecurity.json file in your vm with a template set up, or you can copy-paste this to your newly created project_apisecurity.json file elsewhere and replace the placeholders with the flags you retrieve from each relevant task.
Note: You can use TextEdit or Vim to create and edit this file. Do not use LibreOffice or any Word Document editor. It must be in proper JSON format with no special characters in order to pass the autograder and these Word Document editors are likely to introduce special characters.
If you can’t find the file in the VM just copy this format below:
{
"flag1": "<copy flag 1 here>",
"flag2": "<copy flag 2 here>",
"flag3": "<copy flag 3 here>",
"flag4": "<copy flag 4 here>",
"flag5": "<copy flag 5 here>",
"flag6": "<copy flag 6 here>",
"flag7": "<copy flag 7 here>",
"flag8": "<copy flag 8 here>"
}
An example of what the submitted file content should look like:
{
"flag1": "4ec60c3e084d8387f0f33916e9b08b99d5264a486c29130dd4a5a530b958c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c542",
"flag2": "f496d9514c01e8019cd2bc21edfeb8e33f4a29af14a8bf92f7b3c14b5e06c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c089f0c442",
"flag3": "b621bba0bb535f2f7a222bd32994d3875bcfcad651160c543de0a01dbe2e0c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86cf0c49542",
"flag4": "f38e2cafb43ab4a0a647a8b08fc97bca25aa7cfb517029d5dd02faf49bff5c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c08c49542",
"flag5": "1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c08949542",
"flag6": "1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c08949542",
"flag7": "1711ee5eb85b9020d1f4193ee6d884abd12a2eadc4890d28c490ae0c36446c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c08949542",
"flag8": "f38e2cafb43ab4a0a647a8b08fc97bca25aa7cfb517029d5dd02faf49bff5c5c0f1faeaca2ce30b478281ec546a4729f629b531a86cb27d86c08c49542"
}