PortSwigger Academy - Finding and exploiting an unused API endpoint

Lab: Finding and exploiting an unused API endpoint

Pre

1. login as user wiener using credential wiener:peter
2. open burp suite

Observe

Observe Checkout Flow

1. find a product named "Lightweight l33t Leather Jacket."
2. Add this product to cart
3. click "Place Order" and we got error because our store balance is not enough for buy this product

Observe Proxy HTTP History

1. in HTTP History, we notice that when we open product detail page, it will call http request to /api/products/1/price with method GET for get price and message based on product.
2. send to Repeater and try to Send this
3. now what if we use it to update price ?

Solution

Update product price

1. In Repeater, change the request method to PATCH for update price
2. add request body as json with this {"price": 0}, because we want to update the product price to 0
3. add header Content-Type: application.json, because we will send json data
4. and send the request and we got response success

Checkout product

1. add to cart again product "Lightweight l33t Leather Jacket."
2. open cart and we will se the product price is $0.00
3. since our store credit is $0.00, we will able to order this product
4. click "Place order"

lab solved