#!/bin/bash # API authentication & authorization tests SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/api_auth" mkdir -p "$OUT" echo '=== API AUTH & AUTHZ TESTS ===' | tee "$OUT/summary.txt" # No auth key echo '--- No API Key ---' | tee -a "$OUT/summary.txt" for ep in '/encrypt' '/decrypt' '/generate-keys' '/health' '/metrics' '/admin' '/keys' '/users' '/config'; do resp=$(curl -sk -o "$OUT/no_auth_$(echo $ep | tr '/' '_').txt" -w '%{http_code}' --max-time 10 -X POST -H 'Content-Type: application/json' -d '{}' "$API_TARGET$ep") echo "[$resp] POST $ep (no auth)" | tee -a "$OUT/summary.txt" done # Malformed auth tokens echo '' | tee -a "$OUT/summary.txt" echo '--- Malformed Auth Tokens ---' | tee -a "$OUT/summary.txt" BAD_TOKENS=('invalid' 'null' 'undefined' '{}' 'Bearer ' 'Bearer null' "Bearer $(python3 -c 'print("A"*1000)')" 'Bearer ../../../etc/passwd') for tok in "${BAD_TOKENS[@]}"; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST -H "Authorization: $tok" -H 'Content-Type: application/json' -d '{}' "$API_TARGET/encrypt") echo "[$resp] Auth: $tok" | tee -a "$OUT/summary.txt" done # JWT algorithm confusion (none algorithm) echo '' | tee -a "$OUT/summary.txt" echo '--- JWT Algorithm Confusion ---' | tee -a "$OUT/summary.txt" NONE_JWT='eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.' resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST -H "Authorization: Bearer $NONE_JWT" -H 'Content-Type: application/json' -d '{}' "$API_TARGET/encrypt") echo "[$resp] JWT alg:none" | tee -a "$OUT/summary.txt" # IDOR - try to access other users' keys by guessing IDs echo '' | tee -a "$OUT/summary.txt" echo '--- IDOR Key Enumeration ---' | tee -a "$OUT/summary.txt" for id in '1' '2' '100' '1000' '00000000-0000-0000-0000-000000000001' 'admin'; do resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$API_TARGET/keys/$id") echo "[$resp] GET /keys/$id" | tee -a "$OUT/summary.txt" done cat "$OUT/summary.txt"