Need help with API Security Lab 1.3

DavidKMolina · June 17, 2025, 6:39pm

Need help with API Security Lab 1.3
3. What flag did you discover after validating the remote OS command injection vulnerability in Postman?
Type your answer here
Hide Hint
••••{••••••••_••••••}

DavidKMolina · June 17, 2025, 6:40pm

the Hint actually looks like this
xxxx{x_xxxx_xxx_xxxxxx}

DavidKMolina · June 17, 2025, 6:41pm

It keeps removing some of the dots, so I used x’s.

DavidKMolina · June 17, 2025, 6:43pm

Any help would be greatly appreciated. I hate skipping labs

raggetd · June 17, 2025, 9:54pm

Hey @DavidKMolina!

I’ve recently made some edits to this challenge that (I think) better direct you. To that end, can you indicate exactly which part you’re having trouble with (or, alternatively, what you’ve tried so far)? For example, are you able to find the remote OS command injection vulnerabilities in ZAP? If so, check out the Alert details, which will show you the payload that was used, and what parameter that payload was used in (e.g., host, scheme, port, etc). Then, once you import the collections into Postman, you can send a request using that same mutation, but plug that ZAP payload into one of the vulnerable parameters you identified (and change it to display the flag, instead of /etc/passwd).

Anticipating your response!
-Raggetd