bscp notes
  • Resources
  • Exam Hints/Tips
  • Burp dynamic header in Intruder
  • Methodology
  • Payloads
  • Stage 1
    • XSS
    • Information disclosure
    • DOM-based
    • Web Cache Poison
    • Host Headers
    • HTTP Req Smuggling
    • Authentication
  • Stage 2
    • oAuth
    • CSRF
    • Password Reset
    • SQLi
      • SQLi Cheat Sheet
    • JWT
    • Prototype Pollution
    • API Testing - TODO
    • Access Control
    • CORS
  • DATA EXFILTRATION
    • XXE Injections
    • SSRF
    • SSTI
    • Path Traversal
    • File Upload
    • Insecure Desarialization
    • OS Cmd Injection
  • graphql api vulns
  • no sql
  • web cache deception
  • clickjacking
  • websockets
  • web cache deception
Powered by GitBook
On this page
  1. Stage 2

API Testing - TODO

API performing GET request and directly after a POST request and in the POST request notice additional JSON parameters in the body of response, indicate hidden parameter fields. Add hidden fields such as {"admin":true} can elevate access to higher privileged users or gain sensitive information about user.

API Reset Password Parameter Pollution

Notice the reset password API function uses parameter in POST body for username. To identify aditional hidden parameters for the API function insert random parameter &x=y to observe error message leaking information of positive result. URL encode the random parameter and add it to current POST body parameters username=administrator%26x=y.

Based on the response there is possible second parameter named field and reviewing the JavaScript source code there is reset_token parameter.

PreviousPrototype PollutionNextAccess Control

Last updated 8 months ago