API Testing - TODO
API performing GET request and directly after a POST request and in the POST request notice additional JSON parameters in the body of response, indicate hidden parameter fields. Add hidden fields such as {"admin":true}
can elevate access to higher privileged users or gain sensitive information about user.
API Reset Password Parameter Pollution
Notice the reset password API function uses parameter in POST body for username. To identify aditional hidden parameters for the API function insert random parameter
&x=y
to observe error message leaking information of positive result. URL encode the random parameter and add it to current POST body parametersusername=administrator%26x=y
.
Based on the response there is possible second parameter named
field
and reviewing the JavaScript source code there isreset_token
parameter.
Last updated