24.2 Lab: Finding and exploiting an unused API endpoint | 2024

To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj

Description

To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

Required knowledge

To solve this lab, you’ll need to know:

• How to use error messages to construct a valid request.
• How HTTP methods are used by RESTful APIs.
• How changing the HTTP method can reveal additional functionality.

These points are covered in our API Testing Academy topic.

Solution

1. Log in to your account with wiener:peter
2. Click on Homepage, turn on the proxy, and click View Details of Lightweight l33t Leather Jacket.
3. Send the GET /api/product/1/price to the repeater.
4. Now, change the GET method to PATCH.
5. Add the header Content-Type: application/json ,add the JSON body as {“price”:0} and send the request.
6. Now refresh the “Lightweight l33t Leather Jacket” page, you’ll notice that the price has been changed to 0$
7. Add the product to the cart and place an order.
8. The Lab will be solved on successful completion of the “Lightweight l33t Leather Jacket”

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng