⚗️Lab: Finding and exploiting an unused API endpoint
To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter
.
Required knowledge
To solve this lab, you'll need to know:
How to use error messages to construct a valid request.
How HTTP methods are used by RESTful APIs.
How changing the HTTP method can reveal additional functionality.
These points are covered in our API Testing Academy topic.
Solutions
METHOD ONE:
Open Burp Suite
Visit the target URL
Login username as wiener and password as peter
View the specified product
Send the
API/products/1/price
request to repeaterChange the GET method to PATCH
Add a
Content-Type
header asapplication/json
Add a json object
{"price":0}
Send the request
Add the product to the cart
Place order
METHOD TWO
In Burp's browser, access the lab and click on a product.
In Proxy > HTTP history, notice the API request for the product. For example,
/api/products/3/price
.Right-click the API request and select Send to Repeater.
In the Repeater tab, change the HTTP method for the API request from
GET
toOPTIONS
, then send the request. Notice that the response specifies that theGET
andPATCH
methods are allowed.Change the method for the API request from
GET
toPATCH
, then send the request. Notice that you receive anUnauthorized
message. This may indicate that you need to be authenticated to update the order.In Burp's browser, log in to the application using the credentials
wiener:peter
.Click on the Lightweight "l33t" Leather Jacket product.
In Proxy > HTTP history, right-click the
API/products/1/price
request for the leather jacket and select Send to Repeater.In the Repeater tab, change the method for the API request from
GET
toPATCH
, then send the request. Notice that this causes an error due to an incorrectContent-Type
. The error message specifies that theContent-Type
should beapplication/json
.Add a
Content-Type
header and set the value toapplication/json
.Add an empty JSON object
{}
as the request body, then send the request. Notice that this causes an error due to the request body missing aprice
parameter.Add a
price
parameter with a value of0
to the JSON object{"price":0}
. Send the request.In Burp's browser, reload the leather jacket product page. Notice that the price of the leather jacket is now
$0.00
.Add the leather jacket to your basket.
Go to your basket and click Place order to solve the lab.
Last updated
Was this helpful?