Skip to content
Field Detail
Platform PortSwigger Web Security Academy
Type API Testing
Difficulty Apprentice
Objective Locate the exposed API documentation and use it to delete the user carlos

Exploiting an API Endpoint Using Documentation

I logged in as wiener:peter and spotted a JavaScript file in Burp's HTTP history:

GET /resources/js/api/changeEmail.js HTTP/2
Screenshot

The path /resources/js/api/ revealed the API base. Walking back up the path hierarchy is a standard recon step — if the resource is at /api/something, try /api/ directly:

/api/
Screenshot

The API documentation was publicly accessible and interactive — it listed all endpoints, methods, and parameters with a live request panel for each operation. Exposed API documentation is a self-serve attack tool: this one didn't just describe the endpoints, it let you call them with one click.

I located the DELETE endpoint for users:

Screenshot

Entered carlos as the username target and clicked "Send request" from the documentation UI:

Screenshot

carlos deleted.

Lab solved

Resources