Hacking Damn Vulnerable Restaurant
API security assessment of a deliberately vulnerable restaurant API — from BOLA to root privilege escalation.
Executive Summary
- Vulnerability Chain
- BOLA on orders → JWT secret crack → profile BOLA → username enum → Chef JWT forgery → command injection → sudo find privesc
- Impact
- Full account takeover, unauthorized data access, remote code execution, and root-level system compromise.
- Methodology
- Manual API testing via Swagger docs, Burp Suite proxying, JWT analysis, fuzzing, and privilege escalation enumeration.
Key Findings
| ID | Finding | Severity | Type |
|---|---|---|---|
| API1 | Broken Object Level Authorization on /orders | High | BOLA |
| API2 | Weak JWT signing secret (6-digit numeric) | Critical | Authentication |
| API3 | Profile update without ownership check | High | BOLA |
| API4 | Command injection in /admin/stats/disk | Critical | Injection |
Step 1: Registering Users and Getting a Token
[Placeholder] Register users via POST /register and obtain JWT via POST /token.
git clone https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game.git
cd Damn-Vulnerable-RESTaurant-API-Game
./start_app.sh
Step 2: Exploiting BOLA on the Orders Endpoint
[Placeholder] GET /orders with incrementing skip parameter reveals other users' order data — broken object level authorization.
Step 3: Breaking the JWT
[Placeholder] Weak HS256 signing secret cracked with hashcat. Secret recovered: six-digit numeric value.
Step 4: Profile BOLA
[Placeholder] PUT /profile allows updating any user's profile by changing username in request body.
Step 5: Username Enumeration
[Placeholder] ffuf against PUT /profile reveals valid usernames including "chef".
Step 6: Chef Account Takeover
[Placeholder] JWT forged with sub=chef using recovered secret grants admin-level Chef role.
Step 7: Command Injection
[Placeholder] GET /admin/stats/disk?parameters= accepts shell injection for RCE.
Step 8: Privilege Escalation to Root
[Placeholder] sudo find privilege escalation via GTFOBins technique.