Web Security Academy — API Security Testing Walkthrough

Israel Aráoz Severiche
6 min readJan 5, 2024

--

On my way to learning about API/Endpoints hacking in order sharpen my technical skills on security testing and improve my daily activities as Cybersecurity Engineer , I’m taking Web Security Academy from Portswigger.

In this article, I ‘d like to share with you folks, how I resolved all labs regarding to API Security.

The images I used in this article for each lab contain the description of the activity and are from Web Security Academy, not mine

Exploiting an API endpoint using documentation

I think this is the first step in API Security testing: looking for API’s documentation and reviewing each endpoint with its respective parameters and allowed methods.

If you are interested to reading about discovering API/Endpoint the previous article could be useful:

So we need to fire away!

The quick, easy win was try to visiting /api and we obtained the documentation related to all the available endpoints and the required parameters to call them, as we can see below:

Available Endpoints

Using burp suite, I intercepted a request and modified it to call the endpoint with the allowed method,which in this case it was DELETE

Finding and exploiting an unused API endpoint

This lab was so fun, When you are learning something, you identify the points and connect each one

As part of the process recon all endpoints, I captured all traffic for each clic that I made on the web application, and then I search any for api/endpoint in burp suite.

A crucial step for me is to confirm which HTTP methods are allowed, I used the Options method to obtain all allowed methods from the server.

Allowed HTTP Methods.

For this lab, I discovered that PATCH was as available method. Therefore the main goal for this lab was to buy this jacket with an account that had less money than the jacket’s price. I intercepted the HTTP request related the product before sending it to pay for the jacke, and used PATCH as method. I changed the price to $0.00, making the dreams come true (hahaha).

Changing the HTTP Method and value of parameter price

Lab: Exploiting a mass assignment vulnerability

I think for this lab, you can find different ways to resolved it. For me, It was changing the value of the percentage

As a usual activity, I discovered the right endpoints and played with them, First of all, I called /api/checkout to see all parameters received or available, don’t forget it is Mass Assignment. For this kind of vulnerability, we need to figure out all of them to see which parameters we can modify.

Using GET, I identified a percentage as parameter.

Before to sending to checkout, I intercepted the request added 100% as discount in percentage parameter and sent it, and I get a Free Jacket!

Lab resolved!

Lab solved

Exploiting Server Side Parameter Pollution

For this lab, I was able to delete The username “carlos” with admin permission. I bypassed login form, using SSPP (Server Sider Parameter Pollution). As a usual activity, I discovered all endpoints needed for accomplish this lab.

Description

After further review, I discovered that this function was possibly vulnerable to SSPP.

Forgot password

Using HTTP History in Burp suite I saw the endpoint, request and response

Endpoint vulnerable to SSPP

I sent this request to repeater, I added %26 to saw how the request was handled by the endpoint, I received this messages “Parameter is not supported”

The following attempts was using %23 and I get this message “Field not specified”, Ok so I used %23 → # to truncate the query and I used %26 to inject new parameter in the query.

The vulnerability was successfully identified, I was able to execute it and found a specific field, for me it was email

I was stuck for a while,but then I returned to the recon step and I discovered this file JS, and new endpoint to use. The endpoint has a specific field, so in this case, we need to connect the dots.

Then I used reste_token as a field and I get this message :)

I used this token and URL, I was able to change password for administrator

I was unable to login as administrator and game over!

Admin Panel

User carlos was deleted successfully

Exploiting server-side parameter pollution in a REST URL

This lab was little tricky for me

As routine activity, I Explored and discovered all endpoints and I found this one and javascript file.

Similar to the previous lab, and as is often the case the javascript file provides low hanging fruit for us, which applies to this situation

I discovered a new field “passwordResetToken, then I tried using %23 to truncate the query and I receive this message “Invalid route, Please refer to the API definition”

So I connected the dots, Based on the section about identifying API Documentation , We have three options and one of then, “openapi.json”,works for me, I discovered a new internal api/endpoint

With this endpoint, I generated new token to change administrator’s password

I entered a new password

Once logged in, a new options appears for me, “Admin panel”

Admin panel

And the game was over!

Lab Completed

Thanks!

--

--

Israel Aráoz Severiche

{💀Cybersecurity Engineer​​🐞 } / { 🥋​ Purple Belt Brazilian Jiu Jitsu } / {🌐​https://twitter.com/iara0z}