💉SQL injection on a hidden API endpoint
In this article, I’ll share how I find the SQL injection on a hidden API endpoint.
- Everything stated on this simple website only contains an account activation page.
2. I captured the HTTP request:
3. The fun part starts here. I began fuzzing the API endpoint at /digital/pgidp/v1/FUZZ using the HTTP POST method with the ffuf tool and discovered 2 hidden endpoints.
4. Next, I generated a valid HTTP POST request for the `/digital/pgidp/v1/clients` endpoint. However, upon making the request, I received an error message clearly indicating that the endpoint requires an ‘email’ parameter.
5. Next, I have corrected the HTTP request by providing the valid parameter and its corresponding value. However, in the second image, you will notice that I added a single quote (‘) at the end of the email address, resulting in another error message.
6. So, after spending a few hours, I eventually discovered that the DBMS is Azure CosmosDB. As a result, I crafted a payload that caused a 10-second time delay. The team accepted this payload as it was and awarded the bounty.