API Attacks Challenge Exercise

OZcool · August 31, 2024, 10:06pm

I’m trying to figure out why this lab does not provide the “flag” for task 1.
I’m able to successfuly perform the API attack of manipulating user data as I was able to add $ credit to the account by falsely returning a quantity of items, mainly by using burp repearter feature.

However, the lab ask to see what the user name is after conduction that malicious operation, in my case the user name does not change.

StrongPtarmigan6716 · September 2, 2024, 2:59pm

Hi I’m a new here I want to know how to do it

OZcool · October 5, 2024, 12:06am

So were you able to do it?

JosephWhite · October 6, 2024, 7:09pm

As you had to do in the Guided Exercises, be sure and click back to the Dashboard once you have forced the refund. There you will see the name change.

OZcool · October 10, 2024, 6:25am

Hi,
When I go to the Dashboard, though my account balance was manipulated, the username does not change.
how did you manipulate the balance? did you change the product id, purchase id, purchase status, quantity? or is there a specific order and sequence that is critical to get the flag?

JosephWhite · October 10, 2024, 3:02pm

I set “status”=“returned” and “quantity”=100 in the same post.

OZcool · October 13, 2024, 7:39pm

Odd, I went ahead and completely restart the lab.

Start lab like in guided exercise
Create tester user as in guided exercise
Shop for seat or wheel as in guided exercise
Grab the orders Get request for the order placed from the BurpSuite logger and send to repeater:
GET /workshop/api/shop/orders/6
In repeater change the GET response to:
PUT /workshop/api/shop/orders/6
set the “status”:”returned:
set the “quantity”:”100”
send the application frame api method:

and that did the trick…though i could almost swear I’d done that like 5 times.

JosephWhite · October 13, 2024, 8:19pm

Congrats on getting it !!!