💉SQL injection on a hidden API endpoint

2 min readMay 15, 2023

In this article, I’ll share how I find the SQL injection on a hidden API endpoint.

Let’s go

  1. Everything stated on this simple website only contains an account activation page.

2. I captured the HTTP request:

3. The fun part starts here. I began fuzzing the API endpoint at /digital/pgidp/v1/FUZZ using the HTTP POST method with the ffuf tool and discovered 2 hidden endpoints.

4. Next, I generated a valid HTTP POST request for the `/digital/pgidp/v1/clients` endpoint. However, upon making the request, I received an error message clearly indicating that the endpoint requires an ‘email’ parameter.

5. Next, I have corrected the HTTP request by providing the valid parameter and its corresponding value. However, in the second image, you will notice that I added a single quote (‘) at the end of the email address, resulting in another error message.

6. So, after spending a few hours, I eventually discovered that the DBMS is Azure CosmosDB. As a result, I crafted a payload that caused a 10-second time delay. The team accepted this payload as it was and awarded the bounty.

Article cradit👉👉https://twitter.com/akr3ch