⚗️Lab: Exploiting an API endpoint using documentation

To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter.

Required knowledge

To solve this lab, you'll need to know:

  • What API documentation is.

  • How API documentation may be useful to an attacker.

  • How to discover API documentation.

These points are covered in our API Testing Academy topic.

STEP ONE:

  • Login using username as wiener and password as peter

  • Update wiener's email address and send the request to burp repeater

  • In the repeater change the PATCH method to DELETE and change the path /api/user/wiener to /api/user/carlos

  • Send the request and as you can see in the below image the user carlos has been deleted.

STEPS TWO:

  • Login using username as wiener and password as peter

  • Update the email address

  • In Proxy > HTTP history, right-click the PATCH /api/user/wiener request and select Send to Repeater.

  • Go to the Repeater tab. Send the PATCH /api/user/wiener request. Notice that this retrieves credentials for the user wiener.

  • Remove /wiener from the path of the request, so the endpoint is now /api/user, then send the request. Notice that this returns an error because there is no user identifier.

  • Remove /user from the path of the request, so the endpoint is now /api, then send the request. Notice that this retrieves API documentation.

  • Right-click the response and select Show response in browser. Copy the URL.

  • Paste the URL into Burp's browser to access the documentation. Notice that the documentation is interactive.

  • To delete Carlos and solve the lab, click on the DELETE row, enter carlos, then click Send request.

PreviousAPI DocumentationNextIdentifying and Interacting with API Endpoint

Last updated