From 373bbd0af0b3a1fd1ebd64de7e9b260105119257 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Wed, 1 Oct 2025 12:59:24 +0000
Subject: [PATCH 1/2] Add content from: How An Authorization Flaw Reveals A
 Common Security Blind Sp...

---
 .../pentesting-web/web-api-pentesting.md      | 62 ++++++++++++++++++-
 src/welcome/hacktricks-values-and-faq.md      |  3 +-
 2 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
index 7f613e8392b..0ff6690ff0e 100644
--- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
@@ -28,6 +28,64 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th
 - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
 - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
 
+### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls
+
+Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`.
+
+- Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control).
+- Black-box signal: `POST /api/trpc/<router>.<procedure>` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability.
+- Typical tRPC route shape (v10+): JSON body wrapped under `{"input": {...}}`.
+
+Example vulnerable pattern (no role/permission gate):
+
+```ts
+// The endpoint for retrying a migration job
+// This checks for a valid session (authentication)
+retry: protectedProcedure
+  // but not for an admin role (authorization).
+  .input(z.object({ name: z.string() }))
+  .mutation(async ({ input, ctx }) => {
+    // Logic to restart a sensitive migration
+  }),
+```
+
+Practical exploitation (black-box)
+
+1) Register a normal account and obtain an authenticated session (cookies/headers).
+2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures.
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.all' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{}}'
+```
+
+3) Invoke privileged actions such as restarting a job:
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.retry' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{"name":"<migration_name>"}}'
+```
+
+Impact to assess
+
+- Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).
+- DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.
+
+Detection heuristics
+
+- Look for sensitive semantics in procedure names: `*migrations*`, `*admin*`, `*status*`, `*retry*`, `*featureFlags*`, `*tenants*`, `*jobs*`.
+- Compare responses across roles: If a basic user can successfully call state-changing admin endpoints, you likely have BFLA/BOLA.
+- Check for missing server-side RBAC/ABAC in middleware. Input validation with Zod is orthogonal to authorization.
+
+Notes for remediation (for dev teams you report to)
+
+- Introduce an explicit `adminProcedure` or equivalent middleware that enforces role/permission checks on all sensitive routers (`list`/`all`, `status`, `retry`, etc.).
+- Add rate limiting and idempotency/locking around maintenance endpoints to limit blast radius.
+
 ### **Tools and Resources for API Pentesting**
 
 - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
@@ -53,8 +111,6 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
 ## References
 
 - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
+- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md
index a5b53905c5d..dd6a54063af 100644
--- a/src/welcome/hacktricks-values-and-faq.md
+++ b/src/welcome/hacktricks-values-and-faq.md
@@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**
 
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 
 {{#include ../banners/hacktricks-training.md}}
 
-

From 2220ccfef231eccd83133fe641f4b404412467b0 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sat, 4 Oct 2025 11:08:00 +0200
Subject: [PATCH 2/2] Update web-api-pentesting.md

---
 .../pentesting-web/web-api-pentesting.md              | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
index 0ff6690ff0e..00497a50ff2 100644
--- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
@@ -75,17 +75,6 @@ Impact to assess
 - Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).
 - DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.
 
-Detection heuristics
-
-- Look for sensitive semantics in procedure names: `*migrations*`, `*admin*`, `*status*`, `*retry*`, `*featureFlags*`, `*tenants*`, `*jobs*`.
-- Compare responses across roles: If a basic user can successfully call state-changing admin endpoints, you likely have BFLA/BOLA.
-- Check for missing server-side RBAC/ABAC in middleware. Input validation with Zod is orthogonal to authorization.
-
-Notes for remediation (for dev teams you report to)
-
-- Introduce an explicit `adminProcedure` or equivalent middleware that enforces role/permission checks on all sensitive routers (`list`/`all`, `status`, `retry`, etc.).
-- Add rate limiting and idempotency/locking around maintenance endpoints to limit blast radius.
-
 ### **Tools and Resources for API Pentesting**
 
 - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.