Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
229
Next, we will try to convert the above GET request into a POST and
provide our payload in the
required JSON
356
format. Let’s craft our request by first passing the admin username and dummy
password as JSON data via the -d parameter. We’ll also specify “json” as the “Content-Type” by
specifying a new header with -H.
kali@kali:~$
curl -d '{"password":"fake","username":"admin"}' -H 'Content-Type:
application/json' http://192.168.50.16:5002/users/v1/login
{ "status": "fail", "message": "
Password is not correct for the given username.
"}
Listing 112 - Crafting a POST request against the login API
The API return message shows that the authentication failed, meaning that the API parameters
are correctly formed.
Since we don’t know admin’s password, let’s try another route and check whether we can register
as a new user. This might lead to a different attack surface.
Let’s try registering a new user with the following syntax by adding a JSON data structure that
specifies the desired username and password:
kali@kali:~$
Yüklə
Dostları ilə paylaş: 
