.png)
4 months ago
35 BOOK THIS SPACE FOR AD
ARTICLE AD
On my way to learning about API/Endpoints hacking in order sharpen my technical skills on security testing and improve my daily activities as Cybersecurity Engineer , I’m taking Web Security Academy from Portswigger.
In this article, I ‘d like to share with you folks, how I resolved all labs regarding to API Security.
The images I used in this article for each lab contain the description of the activity and are from Web Security Academy, not mine
Exploiting an API endpoint using documentation
I think this is the first step in API Security testing: looking for API’s documentation and reviewing each endpoint with its respective parameters and allowed methods.
If you are interested to reading about discovering API/Endpoint the previous article could be useful:
So we need to fire away!
The quick, easy win was try to visiting /api and we obtained the documentation related to all the available endpoints and the required parameters to call them, as we can see below:
Using burp suite, I intercepted a request and modified it to call the endpoint with the allowed method,which in this case it was DELETE
Finding and exploiting an unused API endpoint
This lab was so fun, When you are learning something, you identify the points and connect each one
As part of the process recon all endpoints, I captured all traffic for each clic that I made on the web application, and then I search any for api/endpoint in burp suite.
A crucial step for me is to confirm which HTTP methods are allowed, I used the Options method to obtain all allowed methods from the server.
For this lab, I discovered that PATCH was as available method. Therefore the main goal for this lab was to buy this jacket with an account that had less money than the jacket’s price. I intercepted the HTTP request related the product before sending it to pay for the jacke, and used PATCH as method. I changed the price to $0.00, making the dreams come true (hahaha).
Lab: Exploiting a mass assignment vulnerability
I think for this lab, you can find different ways to resolved it. For me, It was changing the value of the percentage
As a usual activity, I discovered the right endpoints and played with them, First of all, I called /api/checkout to see all parameters received or available, don’t forget it is Mass Assignment. For this kind of vulnerability, we need to figure out all of them to see which parameters we can modify.
Using GET, I identified a percentage as parameter.
Before to sending to checkout, I intercepted the request added 100% as discount in percentage parameter and sent it, and I get a Free Jacket!
Exploiting Server Side Parameter Pollution
For this lab, I was able to delete The username “carlos” with admin permission. I bypassed login form, using SSPP (Server Sider Parameter Pollution). As a usual activity, I discovered all endpoints needed for accomplish this lab.
After further review, I discovered that this function was possibly vulnerable to SSPP.
Using HTTP History in Burp suite I saw the endpoint, request and response
I sent this request to repeater, I added %26 to saw how the request was handled by the endpoint, I received this messages “Parameter is not supported”
The following attempts was using %23 and I get this message “Field not specified”, Ok so I used %23 → # to truncate the query and I used %26 to inject new parameter in the query.
The vulnerability was successfully identified, I was able to execute it and found a specific field, for me it was email
I was stuck for a while,but then I returned to the recon step and I discovered this file JS, and new endpoint to use. The endpoint has a specific field, so in this case, we need to connect the dots.
Then I used reste_token as a field and I get this message :)
I used this token and URL, I was able to change password for administrator
I was unable to login as administrator and game over!
User carlos was deleted successfully
Exploiting server-side parameter pollution in a REST URL
This lab was little tricky for me
As routine activity, I Explored and discovered all endpoints and I found this one and javascript file.
Similar to the previous lab, and as is often the case the javascript file provides low hanging fruit for us, which applies to this situation
I discovered a new field “passwordResetToken, then I tried using %23 to truncate the query and I receive this message “Invalid route, Please refer to the API definition”
So I connected the dots, Based on the section about identifying API Documentation , We have three options and one of then, “openapi.json”,works for me, I discovered a new internal api/endpoint
With this endpoint, I generated new token to change administrator’s password
I entered a new password
Once logged in, a new options appears for me, “Admin panel”
Bengali (Bangladesh) · 
English (United States) ·