mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
77 lines
2.1 KiB
Markdown
77 lines
2.1 KiB
Markdown
# API Reference: Detecting Broken Object Property Level Authorization
|
|
|
|
## OWASP API3:2023 Classification
|
|
|
|
| Category | Description |
|
|
|----------|-------------|
|
|
| Excessive Data Exposure | API returns more properties than client needs |
|
|
| Mass Assignment | API accepts more properties than intended |
|
|
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies |
|
|
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
|
|
|
## Python requests Library
|
|
|
|
```python
|
|
import requests
|
|
|
|
# GET - test for excessive exposure
|
|
resp = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
|
|
resp.status_code # 200, 401, 403
|
|
resp.json() # parsed response body
|
|
|
|
# PUT - test for mass assignment
|
|
resp = requests.put(url, json={"role": "admin"}, headers=headers, timeout=10)
|
|
|
|
# PATCH - test for partial mass assignment
|
|
resp = requests.patch(url, json={"is_admin": True}, headers=headers, timeout=10)
|
|
```
|
|
|
|
## Sensitive Field Patterns
|
|
|
|
| Severity | Fields |
|
|
|----------|--------|
|
|
| Critical | password, password_hash, secret, token, api_key, private_key |
|
|
| High | ssn, credit_card, card_number, cvv, bank_account |
|
|
| Medium | salary, role, permissions, is_admin, session_id |
|
|
| Low | phone, address, date_of_birth, gender |
|
|
|
|
## Mass Assignment Test Payloads
|
|
|
|
```json
|
|
{"role": "admin"}
|
|
{"is_admin": true}
|
|
{"is_verified": true}
|
|
{"account_type": "premium"}
|
|
{"discount_rate": 100}
|
|
{"permissions": ["admin", "write", "delete"]}
|
|
```
|
|
|
|
## Burp Suite Extensions
|
|
|
|
```
|
|
# Autorize - test authorization across roles
|
|
# Param Miner - discover hidden parameters
|
|
# JSON Beautifier - inspect response properties
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --base-url https://api.example.com \
|
|
--endpoint /api/v1/users/123 \
|
|
--token "eyJhbGciOiJIUzI1NiJ9..." \
|
|
--expected-fields id username name email \
|
|
--test both --method PUT
|
|
```
|
|
|
|
## Mitigation Patterns
|
|
|
|
```python
|
|
# Allowlist serialization (Django REST Framework)
|
|
class UserSerializer(serializers.ModelSerializer):
|
|
class Meta:
|
|
model = User
|
|
fields = ['id', 'username', 'name'] # explicit allowlist
|
|
read_only_fields = ['id', 'role', 'is_admin']
|
|
```
|