Generic University's IT department are excited to release their new tool so students can see all their grades online! Although still under construction some hacker has used Sublist3r and found it despite it being under construction. Thankfully Generic University have a bug bounty program and *.genericuniversity.ac.uk is in scope, no one seems to have noticed this under construction tool yet so get out there are find those bugs!
This is a Laravel App which I've used for several demos which is vulnerable to a number of vulnerabilities on the OWASP API top 10. This is not a CTF, the bugs are quite clear and not hidden, however I suspect this will be a useful demo!
Find out more about the OWASP API Top 10
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- Find the emails of the administrator
- Brute force the API to find new endpoints
- Find out what grades everyone got in a class
- Edit someone's grade
- Make an account
- Access the GraphQL API
- Change another account's password
- Login to your account
- Access admin API
- Find out what vulnerabilities the IT admins have ignored
- Make your account an admin
- Access the admin control panel
- Fire a blind XSS in the admin control panel and validate with your new admin account
- Delete everything
- Restore everything
Thanks to busk3r, you can setup Generic University using docker. Simply install Docker and follow the commands from the docker page. Thank you!
You will need to setup PHP, a webserver and a database suitable for laravel, you can use something like XAMPP on windows, or set it up yourself, to these requirements. You can google to find manual setup instructions, @kofler86 has contributed a setup guide for Kali Linux.
- Clone
git clone https://github.com/InsiderPhD/Generic-University/ - run
composer update - Change the
.env - run
php artisan migrate - run
php artisan db:seed