ervinismu

PortSwigger Academy - Exploiting an API endpoint using documentation

1 min read

Lab: Exploiting an API endpoint using documentation

Observe

Find endpoint

  1. try to access /api path
  2. and we found api documentation
  3. it contain http method and path url information that we can use against specific endpoint

Use / try endpoint

  1. click delete user in documentation table and popup will showing
  2. input the username and click “Send Request”
  3. but it will throw "unauthorized" in response

Solution

  1. login as user wiener with credential wiener:peter
  2. open /api path
  3. click delete user in documentation table and popup will showing
  4. input the username and click “Send Request”
  5. now the user carlos will successfully deleted

lab solved

Graph View