Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Academy Lab: "Finding and exploiting an unsused API endpoint" | the sugested solution throws "error: 500"

Andreas | Last updated: Mar 09, 2024 02:17PM UTC

Hi. I am not sure whether I am just doing something wrong or if the solution for the lab has not been updated. Firstly, I tried to solve the lab on my own, but after countless "internal server error" responses I tried to follow the solution. But alas the same issue arises. The ironic part is that if i change the request method, and only the method to a "get" request, i will get back a valid json response. How am i supposed to solve this lab if i cannot get past the content-type error, or server error? Other issues with the solution guide: - the guide talks about receiving an error due to empty `Body:{}` which specifies a named missing parameter "price". tough in my session i only received the "application/json" error. my Request header: ` PATCH /api/products/1/price HTTP/2 Host: 0ab000cc0443d34180c67151000d00d3.web-security-academy.net Cookie: session=g5EZWdzKqb3AkrMxnvSNuXcODl4ifO9D Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept: */* Referer: https://0ab000cc0443d34180c67151000d00d3.web-security-academy.net/product?productId=1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Body: {"price":0} Content-Type: application/json; charset=utf-8 ` the response: ` HTTP/2 500 Internal Server Error Content-Length: 21 Internal Server Error ` same request, different method => 'GET': ` HTTP/2 200 OK Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 87 {"price":"$1337.00","message":"17 people have viewed this item in the last 15 minutes"} `

Dominyque, PortSwigger Agent | Last updated: Mar 11, 2024 11:18AM UTC

Hi Andreas I have just attempted the lab and can confirm that it solves as expected with the written solution. Can you please try following along with this community video solution for further guidance on solving the lab?: https://www.youtube.com/watch?v=UUzdFir0HFo

Andreas | Last updated: Mar 11, 2024 12:24PM UTC

Following the video did help me solve it in a way, but it seems like i have to follow a certain pattern to "unlock" the lab solution. If i send the apparent solutin staright away, like this: ` PATCH /api/products/1/price HTTP/2 ... Content-Type: application/json {"price":0} ` wouldn't resolve the lab by updating the price of the target product. but after doing it step by step, sending an empty `{}` and then {"price":'f'} and then finally {"price":0}, then the product would update. Tho it isn't necessarily a problem with the lab itself, there may be some sort of connection bug with BURP. wich I often experience between the labs and burps-internal browser. (socket errors) Thanks Dominyque!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.