| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | API Testing |
| Difficulty | Apprentice |
| Objective | Locate the exposed API documentation and use it to delete the user carlos |
Exploiting an API Endpoint Using Documentation¶
I logged in as wiener:peter and spotted a JavaScript file in Burp's HTTP history:
GET /resources/js/api/changeEmail.js HTTP/2
The path /resources/js/api/ revealed the API base. Walking back up the path hierarchy is a standard recon step — if the resource is at /api/something, try /api/ directly:
/api/
The API documentation was publicly accessible and interactive — it listed all endpoints, methods, and parameters with a live request panel for each operation. Exposed API documentation is a self-serve attack tool: this one didn't just describe the endpoints, it let you call them with one click.
I located the DELETE endpoint for users:
Entered carlos as the username target and clicked "Send request" from the documentation UI:
carlos deleted.
Lab solved