⚗️Lab: Finding and exploiting an unused API endpoint
Last updated
Last updated
To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter
.
Required knowledge
To solve this lab, you'll need to know:
How to use error messages to construct a valid request.
How HTTP methods are used by RESTful APIs.
How changing the HTTP method can reveal additional functionality.
These points are covered in our API Testing Academy topic.
Open Burp Suite
Visit the target URL
Login username as wiener and password as peter
View the specified product
Send the API/products/1/price
request to repeater
Change the GET method to PATCH
Add a Content-Type
header as application/json
Add a json object{"price":0}
Send the request
Add the product to the cart
Place order
In Burp's browser, access the lab and click on a product.
In Proxy > HTTP history, notice the API request for the product. For example, /api/products/3/price
.
Right-click the API request and select Send to Repeater.
In the Repeater tab, change the HTTP method for the API request from GET
to OPTIONS
, then send the request. Notice that the response specifies that the GET
and PATCH
methods are allowed.
Change the method for the API request from GET
to PATCH
, then send the request. Notice that you receive an Unauthorized
message. This may indicate that you need to be authenticated to update the order.
In Burp's browser, log in to the application using the credentials wiener:peter
.
Click on the Lightweight "l33t" Leather Jacket product.
In Proxy > HTTP history, right-click the API/products/1/price
request for the leather jacket and select Send to Repeater.
In the Repeater tab, change the method for the API request from GET
to PATCH
, then send the request. Notice that this causes an error due to an incorrect Content-Type
. The error message specifies that the Content-Type
should be application/json
.
Add a Content-Type
header and set the value to application/json
.
Add an empty JSON object {}
as the request body, then send the request. Notice that this causes an error due to the request body missing a price
parameter.
Add a price
parameter with a value of 0
to the JSON object {"price":0}
. Send the request.
In Burp's browser, reload the leather jacket product page. Notice that the price of the leather jacket is now $0.00
.
Add the leather jacket to your basket.
Go to your basket and click Place order to solve the lab.