Broken Authentication in vAPI

3 months ago 28

Get ready to explore the broken authentication vulnerability walkthrough in vAPI. In this article, we are going to look at a detailed walkthrough of the broken authentication vulnerability.

First things first, make sure your project (vAPI, Postman, Burpsuite) is installed properly.


As simple as, nothing but gaining access to some else resource using weakness in the authentication system.

Understanding the scenario:

Good analysis is the first step in good hunting! start using Postman to examine the request structure. Now that we are aware that there are initially two requests, the first of which is a POST request with input fields (username, password), appears to be a request that might be subject to a broken authentication vulnerability.

A GET request is nothing but a data retrieval request after successful authentication, which does not need any input, which makes it clear that we have to work on a POST request.

try submitting dummy credentials in the input fields to analyze the response.

a standard failed authentication response (Error 401), which is not bad. We tried sending multiple dummy credentials to check if there is any mechanism to block multiple login attempts, and there is none. good for us because now we can go for multiple password attacks just like a dictionary, password spray, or brute force.

We know the request structure, attack vector, and attack type, but now we need a basic username or password list to attack. Where do we find it? On the vAPI page, we found something interesting saying, “Hey, look for the resource folder provided to you’.

It’s saying to look for the resource folder, which has already been given to us, but when and how? The only thing we have on our computer related to vAPI is its repo folder; let’s look inside of it.

and here we go, we found one .csv file which contains a dictionary of usernames and passwords inside Vapi -> Resources -> API2_CredentialStuffing.


making sure we have everything in place to attack capture the log-in request in the burp suite and send it to the intruder. Now select the following configuration to attack an intruder:

Attack type: pitchforkPayload marks to username and password values

3. Set both payload types as a simple list.

4. Load the same.csv file for both payload positions

5. For email, add the payload processing rule as a match and replace with the value ‘Match [,.*] replace with [ ]’

6. For the password, add the payload processing rule as a match and replace with the value ‘Match [.*,] replace with [ ]’

7. Make sure to deselect the “URL-encode these characters’ option before starting the attack.

8. Start the attack

Read Entire Article