[粗略的速通]BURP靶场API testing通关记录

第一关[Easy]: Exploiting an API endpoint using documentation

目标是删carlos

在更新自己邮箱的界面可以抓到一个PATCH请求,请求的URI是:
/api/user/wiener

(URI生成逻辑可以在前端js找到,👇前端js)

const changeEmail = (form, e) => {
    e.preventDefault();

    const formData = new FormData(form);
    const username = formData.get('username');
    const email = formData.get('email');

    fetch(
        `${form.action}/${encodeURIComponent(username)}`,   // <-----------注意看这里
        {
            method: 'PATCH',
            body: JSON.stringify({ 'email': email })
        }
    )
        .then(res => res.json())
        .then(handleResponse(displayErrorMessage(form)));
};

响应是:
{"username":"wiener","email":"123@123.com"}
发一个OPTIONS请求看它支持的请求方法,返回包显示支持DELETE.
对/api/user/carlos 发起delete请求,请求体为{"username":"carlos","email":"123@123.com"}
过关.

---

第二关[Normal]:Lab: Finding and exploiting an unused API endpoint

奇怪的支付漏洞,目标是零元购皮夹克
隐藏的api ,用PATCH方法改一下价格即可过关
按一下按钮把这个夹克加到购物车,抓请求包:
/api/products/1/price
响应包:
{"price":"$1337.00","message":"24 people are watching this item right now"}
发OPTIONS包,它支持:
Allow: GET, PATCH
把首部改成PATCH (PATCH /api/products/1/price HTTP/2),发包,得到相应包:
{"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}
添加头Content-Type:application/json ,并在请求体添加俩花括号{} (json数据),发包,得到相应包:
{"type":"ClientError","code":400,"error":"'price' parameter missing in body"}
在请求体添加
{"price":0}
改了夹克的价格,然后把夹克买了就行

---

第三关[Normal]:Lab: Exploiting a mass assignment vulnerability

这关是有个隐藏的折扣参数,找到就行:
登陆后点购物车按钮会对 /api/checkout 发起GET请求,响应包为:
{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight "l33t" Leather Jacket","quantity":3,"item_price":133700}]}
发现了一个percentage参数👆这个参数代表折扣
在购物车点place order按钮(支付按钮)并抓请求包:
{"chosen_products":[{"product_id":"1","quantity":3}]}
把上边抓到的"chosen_discount":{"percentage":0}添加到这里,得到👇

\