Portswigger - API Testing - Lab #5 Exploiting server side parameter pollution in a REST URL

Hello Hackers, in this video of Exploiting server side parameter pollution in a REST URL you will see how to exploit, discover and find hidden endpoints and senstive information from Burp Suite in a lab from Web Security Academy powered by Portswigger ⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️ 0:00 - About the Lab 1:51 - Map the application 2:53 - Discover forgetPassword.js file 4:41 - Discover forgot-password endpoint 8:14 - Use openapi.json to get leak of information 9:32 - Use the internal API 11:25 - Use know field of passwordResetToken 12:21 - Update administrator password 12:55 - Login and delete user Calors 🔍 About the Lab Lab: Exploiting server-side parameter pollution in a REST URL Level: Expert In this lab, log in as the administrator and delete carlos. ⚠️ Required knowledge you'll need to know: 1. How to identify whether a user input is included in a server-side URL path or query string. 2. How to use path traversal sequences to attempt to change a server-side request. 3. How to discover API documentation. ✅ What to do ? 1. In Burp's browser, trigger a password reset for the administrator user. 2. In Proxy then HTTP history, notice the POST /forgot-password request and the related /static/js/forgotPassword.js JavaScript file. 3. Right-click the POST /forgot-password request and select Send to Repeater. 4. In the Repeater tab, resend the request to confirm that the response is consistent. 5. Send a variety of requests with a modified username parameter value to determine whether the input is placed in the URL path of a server-side request without escaping: 5.1. Submit URL-encoded administrator# as the value of the username parameter. Notice that this returns an Invalid route error message. This suggests that the server may have placed the input in the path of a server-side request, and that the fragment has truncated some trailing data. Observe that the message also refers to an API definition. 5.2. Change the value of the username parameter from administrator%23 to URL-encoded administrator?, then send the request. Notice that this also returns an Invalid route error message. This suggests that the input may be placed in a URL path, as the ? character indicates the start of the query string and therefore truncates the URL path. 5.3. Change the value of the username parameter from administrator%3F to ./administrator then send the request. Notice that this returns the original response. This suggests that the request may have accessed the same URL path as the original request. This further indicates that the input may be placed in the URL path. 5.4. Change the value of the username parameter from ./administrator to ../administrator, then send the request. Notice that this returns an Invalid route error message. This suggests that the request may have accessed an invalid URL path. 6. Change the value of the username parameter from ../administrator to ../%23. Notice the Invalid route response. 7. Incrementally add further ../ sequences until you reach ../../../../%23 Notice that this returns a Not found response. This indicates that you've navigated outside the API root. 8. At this level, add some common API definition filenames to the URL path. For example, submit the following: username=../../../../openapi.json%23 Notice that this returns an error message, which contains the following API endpoint for finding users: /api/internal/v1/users/{username}/field/{field} Notice that this endpoint indicates that the URL path includes a parameter called field. 9. Update the value of the username parameter, using the structure of the identified endpoint. Add an invalid value for the field parameter: username=administrator/field/foo%23 Send the request. Notice that this returns an error message, because the API only supports the email field. 10. Add email as the value of the field parameter: username=administrator/field/email%23 Send the request. Notice that this returns the original response. This may indicate that the server-side application recognizes the injected field parameter and that email is a valid field type. 11. In Proxy then HTTP history, review the /static/js/forgotPassword.js JavaScript file. Identify the password reset endpoint, which refers to the passwordResetToken parameter: /forgot-password?passwordResetToken=${resetToken} 12. In Burp's browser, enter the password reset endpoint in the address bar. Add your password reset token as the value of the reset_token parameter. For example: /forgot-password?passwordResetToken=123456789 Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋 #WebSecurityAcademy #portswigger #apitesting #vulnerability