Home Web App Security How to Exploit an Unused API Endpoint: A Step-by-Step Guide

How to Exploit an Unused API Endpoint: A Step-by-Step Guide

Web App Security By · April 18, 2026 · 0 Comment
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-hm

API security testing has become a critical part of modern web application assessments. Many organizations expose APIs without fully securing all endpoints, which can lead to serious vulnerabilities. In this hands-on guide, we’ll walk through how to identify and exploit an unused API endpoint using the PortSwigger Web Security Academy platform. This lab demonstrates how improper API controls can allow attackers to manipulate sensitive data such as product pricing.

Getting Started with the Lab

To begin, log in to the Web Security Academy and navigate to the API Testing section. Locate and open the lab titled “Finding and exploiting an unused API endpoint.” This lab simulates a real-world scenario where an API endpoint exists but is not properly secured.

Next, launch Burp Suite and configure your browser to route traffic through Burp’s proxy. This allows you to intercept and analyze HTTP requests between your browser and the target application.

Intercepting the Product Request

On the lab page, click on any product—such as the Lightweight Leather Jacket priced at $1337. When you view the product details, Burp Suite will capture the request in the Proxy history.

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-1

Locate the request and send it to the Repeater tab for further analysis. The request looks like this:

GET /api/products/1/price
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-2

When you send this request in Repeater, you’ll receive a 200 OK response along with the product price:

{"price":"$1337.00"}

This confirms that the API endpoint is publicly accessible and returns pricing data.

Discovering Supported HTTP Methods

To explore further, test which HTTP methods the endpoint supports. Modify the request to use the OPTIONS method:

OPTIONS /api/products/1/price HTTP/2
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-3

The response will reveal allowed methods such as:

Allow: GET, PATCH

This is a key finding—while GET retrieves data, PATCH may allow modification.

Logging into the Application

Now, click on the My Account section and log in using the provided credentials:

  • Username: wiener
  • Password: peter

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-4

Once logged in, revisit the product page and capture the request again. Send it to Repeater and confirm the response remains the same.

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-5

Attempting to Modify the Price

Now comes the critical step—testing the PATCH method. Send the following request:

PATCH /api/products/1/price HTTP/2
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-6

Initially, you’ll receive a client error indicating that the request requires a JSON body:

"Content-Type application/json is required"

To fix this, add the appropriate header and an empty JSON body:

Content-Type: application/json

{}
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-7

The response now changes to:

"error":"'price' parameter missing in body"

This confirms that the API expects a price parameter.

Exploiting the Endpoint

Now modify the request body to include a price value:

{
"price": 0
}
How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-8

Send the request again. This time, the server responds with:

HTTP/2 200 OK
{"price":"$0.00"}

This indicates that the product price has been successfully changed to zero—without any authorization checks.

Verifying the Exploit

Return to your browser and refresh the product page. You’ll now see the updated price as $0. Add the item to your cart and proceed to checkout.

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-9

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-10

When you place the order, the lab is marked as solved—demonstrating a successful exploit of an insecure API endpoint.

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-11

How-to-Exploit-an-Unused-API-Endpoint-A-Step-by-Step-Guide-12

Key Takeaways

This lab highlights several important API security issues:

  • Unused endpoints can be dangerous if not properly secured
  • Improper method handling can allow unauthorized actions
  • Lack of input validation enables attackers to manipulate data
  • Missing authorization checks can lead to privilege escalation

API vulnerabilities like this are increasingly common in modern applications. By using tools like Burp Suite and platforms like Web Security Academy, security professionals can identify and exploit such weaknesses in a controlled environment.

Understanding how to test for insecure API endpoints is essential for both penetration testers and developers. Proper authentication, authorization, and input validation must be enforced to prevent such exploits in real-world applications.

If you’re serious about mastering API security testing, practicing labs like this is one of the most effective ways to build hands-on expertise.

Related Posts

Complete VAPT Testing Guide for Web Applications

Web App Security By · March 31, 2026 · 0 Comment
Complete-VAPT-Testing-Guide-for-Web-Applications
Vulnerability Assessment and Penetration Testing (VAPT) is a critical practice for securing modern web applications. With cyber threats constantly evolving, organizations must proactively identify and fix security weaknesses before attackers exploit them. A structured VAPT process ensures thorough coverage, combining... Read more

Exploiting SQL Injection in DVWA

Web App Security By · January 31, 2026 · 0 Comment
Exploiting-SQL-Injection-in-DVWA-hm
Introduction to SQL Injection in DVWA SQL Injection is one of the most critical web application vulnerabilities, allowing attackers to manipulate database queries and gain unauthorized access to sensitive data. In this tutorial, we will demonstrate how to identify and... Read more

Top Learning Vulnerable Web Applications to Test Web Security Skills

Web App Security By · December 20, 2025 · 5 Comments
Top-Learning-Vulnerable-Web-Applications-to-Test-Web-Security-Skills-hm
Learning web application security is a critical step for aspiring ethical hackers, penetration testers, and developers who want to build secure software. One of the safest and most effective ways to gain hands-on experience is by practicing on intentionally vulnerable... Read more

How to Install DVWA on Windows Using XAMPP

Web App Security By · June 11, 2025 · 1 Comment
How-to-Install-DVWA-on-Windows-Using-XAMPP-home
If you’re interested in learning about web application vulnerabilities, Damn Vulnerable Web Application (DVWA) is a great tool. It’s a PHP/MySQL web app designed for security professionals and enthusiasts to practice penetration testing in a controlled environment. This guide will... Read more

Bypass HttpOnly Flag Using XSS and PHPInfo Page

Web App Security By · June 4, 2025 · 0 Comment
Bypass-HttpOnly-Flag-Using-XSS-and-PHPInfo-Page
Bypassing the HttpOnly Flag Using PHP Info Page via XSS In web security, the HttpOnly flag is a critical defense mechanism designed to prevent client-side scripts from accessing sensitive cookies such as session identifiers. However, in vulnerable PHP applications—like those... Read more

Top 10 Vulnerability Assessment Tools for Web Application Security

Web App Security By · May 30, 2025 · 1 Comment
Top-10-Vulnerability-Assessment-Tools-for-Web-Application-Security
In today’s digital age, securing web applications has become a critical priority for organizations worldwide. Cyber threats are constantly evolving, and attackers are always looking for vulnerabilities to exploit. That’s why conducting regular vulnerability assessments of web applications is essential... Read more

Top Nmap NSE Scripts for Kali Linux

Web App Security By · May 21, 2025 · 2 Comments
Top-Nmap-NSE-Scripts-for-Kali-Linux-home
Nmap (Network Mapper) is a leading open-source tool used for network discovery, service enumeration, and security auditing. Its capabilities are extended through the Nmap Scripting Engine (NSE), which allows users to write and execute custom scripts for a variety of... Read more

Remote File Inclusion (RFI) Vulnerability and Prevention

Web App Security By · May 14, 2025 · 0 Comment
Remote-File-Inclusion-RFI-Vulnerability-and-Prevention
In the ever-evolving landscape of cybersecurity threats, Remote File Inclusion (RFI) stands out as a critical vulnerability that can expose web applications to severe risks. Commonly found in poorly coded PHP applications, RFI allows attackers to include and execute malicious... Read more

Understanding the OWASP 2021 Top 10 Risks

Web App Security By · May 12, 2025 · 0 Comment
Understanding-the-OWASP-2021-Top-10-Risks
Web application security is more important than ever, with data breaches and cyberattacks becoming increasingly common. The OWASP Top 10 is a globally recognized list of the most critical security risks facing modern web applications. Published by the Open Web... Read more

Information Gathering of a Website: Techniques and Tools

Web App Security By · May 12, 2025 · 2 Comments
Information-Gathering-of-a-Website-Techniques-and-Tools
Information gathering is the first and one of the most crucial steps in ethical hacking and cybersecurity assessments. Before launching any penetration test or vulnerability scan, cybersecurity professionals must collect as much data as possible about the target website. This... Read more