24.2 Lab: Finding and exploiting an unused API endpoint | 2024
To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj
2 min readMar 9, 2024
Description
To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.
Required knowledge
To solve this lab, you’ll need to know:
- How to use error messages to construct a valid request.
- How HTTP methods are used by RESTful APIs.
- How changing the HTTP method can reveal additional functionality.
These points are covered in our API Testing Academy topic.
Solution
- Log in to your account with
wiener:peter
- Click on Homepage, turn on the proxy, and click View Details of Lightweight l33t Leather Jacket.
- Send the
GET /api/product/1/price
to the repeater. - Now, change the GET method to
PATCH.
- Add the header
Content-Type: application/json ,
add the JSON body as{“price”:0}
and send the request. - Now refresh the “Lightweight l33t Leather Jacket” page, you’ll notice that the price has been changed to 0$
- Add the product to the cart and place an order.
- The Lab will be solved on successful completion of the “Lightweight l33t Leather Jacket”
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng