⚗️Lab: Finding and exploiting an unused API endpoint

LogoLogin

To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

Required knowledge

To solve this lab, you'll need to know:

  • How to use error messages to construct a valid request.

  • How HTTP methods are used by RESTful APIs.

  • How changing the HTTP method can reveal additional functionality.

These points are covered in our API Testing Academy topic.

Solutions

METHOD ONE:

  • Open Burp Suite

  • Visit the target URL

  • Login username as wiener and password as peter

  • View the specified product

  • Send the API/products/1/price request to repeater

  • Change the GET method to PATCH

  • Add a Content-Type header as application/json

  • Add a json object{"price":0}

  • Send the request

  • Add the product to the cart

  • Place order

METHOD TWO

  1. In Burp's browser, access the lab and click on a product.

  2. In Proxy > HTTP history, notice the API request for the product. For example, /api/products/3/price.

  3. Right-click the API request and select Send to Repeater.

  4. In the Repeater tab, change the HTTP method for the API request from GET to OPTIONS, then send the request. Notice that the response specifies that the GET and PATCH methods are allowed.

  5. Change the method for the API request from GET to PATCH, then send the request. Notice that you receive an Unauthorized message. This may indicate that you need to be authenticated to update the order.

  6. In Burp's browser, log in to the application using the credentials wiener:peter.

  7. Click on the Lightweight "l33t" Leather Jacket product.

  8. In Proxy > HTTP history, right-click the API/products/1/price request for the leather jacket and select Send to Repeater.

  9. In the Repeater tab, change the method for the API request from GET to PATCH, then send the request. Notice that this causes an error due to an incorrect Content-Type. The error message specifies that the Content-Type should be application/json.

  10. Add a Content-Type header and set the value to application/json.

  11. Add an empty JSON object {} as the request body, then send the request. Notice that this causes an error due to the request body missing a price parameter.

  12. Add a price parameter with a value of 0 to the JSON object {"price":0}. Send the request.

  13. In Burp's browser, reload the leather jacket product page. Notice that the price of the leather jacket is now $0.00.

  14. Add the leather jacket to your basket.

  15. Go to your basket and click Place order to solve the lab.

PreviousIdentifying and Interacting with API EndpointNextFinding Hidden Parameters

Last updated

Was this helpful?