search
HomeGitHubPortfolio Twitter/X Medium Cont@ct

flask-vialLab

https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation

hashtag
Description

hashtag
Solution

Go to login page and access as wiener user.

JWT extension reveal that there's a JWT token, obviously related to wiener user account

Send it to repeater and select JSON web Token tab to deep dive to it

Modify the sub field inserting: "administrator" (if the key field isn't compiled, is necessary to add it clicking to Sign button)

and click first on the Send button and then on Following redirection button

authenticating us as administrator

Checking the response the admin panel's path is: /admin

so we can move there via a GET request: GET /admin HTTP/2

analyzing the response, we see that the request to delete the user Carlos is the following: GET /admin/delete?username=carlos HTTP/2

So, Send and click to Following redirection to delete it and complete the lab.

PreviousJava Insecure DeserializationNextLab

Last updated