Lab: Exploiting an API endpoint using documentation

APPRENTICE

To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter.

Required knowledge

To solve this lab, you'll need to know:

  • What API documentation is.
  • How API documentation may be useful to an attacker.
  • How to discover API documentation.

These points are covered in our API Testing Academy topic.

Solution

  1. In Burp's browser, log in to the application using the credentials wiener:peter and update your email address.

  2. In Proxy > HTTP history, right-click the PATCH /api/user/wiener request and select Send to Repeater.

  3. Go to the Repeater tab. Send the PATCH /api/user/wiener request. Notice that this retrieves credentials for the user wiener.

  4. Remove /wiener from the path of the request, so the endpoint is now /api/user, then send the request. Notice that this returns an error because there is no user identifier.

  5. Remove /user from the path of the request, so the endpoint is now /api, then send the request. Notice that this retrieves API documentation.

  6. Right-click the response and select Show response in browser. Copy the URL.

  7. Paste the URL into Burp's browser to access the documentation. Notice that the documentation is interactive.

  8. To delete Carlos and solve the lab, click on the DELETE row, enter carlos, then click Send request.