[This lab](https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation) demonstrates how **misconfigured or publicly exposed API documentation** can assist an attacker in discovering and exploiting sensitive backend functionality. These docs often reveal all available endpoints, request schemas, and sometimes even include an interactive UI that allows direct API interaction — no reverse engineering required.
In this scenario, we find **interactive API docs**, identify a sensitive function (`DELETE /api/user/{username}`), and use it to delete the victim user `carlos`.
---
## Vulnerability Overview: Exposed API Documentation
API documentation tools like **Swagger UI**, **Redoc**, or **Postman** are meant to help developers — but when exposed to unauthenticated users, they become a powerful recon tool for attackers.
Common mistakes:
- Hosting Swagger or Redoc in production without authentication
- Including sensitive or admin-only endpoints
- Providing "Try it out" features without access controls
In this lab, the documentation is exposed at `/api`, and allows issuing real authenticated API calls directly from the browser.
---
## Attack Flow
|Step|Action|
|---|---|
|Recon|Discover exposed API documentation at `/api`|
|Exploration|Use the documentation to identify sensitive functionality|
|Exploitation|Trigger the `DELETE /api/user/{username}` endpoint to delete Carlos|
---
##### Step 1: Log In and Observe API Behavior
Logged in with:
```
Username: wiener
Password: peter
```
**Changed account email** — captured in Burp as:
```
PATCH /api/user/wiener
```
Sent it to Repeater to test for additional API behavior.
---
##### Step 2: Walk Back the API Path
- Sent request to `/api/user/wiener` → worked, returned user info
- Sent request to `/api/user` → error: missing identifier
- Sent request to `/api` → returned a JSON object describing API routes
This looked like a Swagger/OpenAPI JSON specification.
---
##### Step 3: Load the API Docs in Browser
In Burp’s Repeater:
Right-click → **Show response in browser**
Copied the URL → opened it in Burp’s browser
The page displayed **interactive API documentation**, likely built on Swagger UI or Redoc.
✅ Documentation was **publicly accessible** and included live API access.
![[Pasted image 20250414142709.png]]
---
##### Step 4: Use the Documentation to Exploit the API
Found the following endpoint:
```
DELETE /api/user/{username}
```
Filled in the username as:
```
carlos
```
Clicked "Try it out" → "Execute"
✅ Carlos’s account was deleted.
**Lab solved.**
---
## Key Lessons
- **Interactive documentation** is helpful in dev but dangerous in prod.
- APIs should not expose **destructive actions** (like `DELETE /user`) to low-privileged or unauthenticated users.
- Endpoint discovery through `/api`, `/swagger`, `/openapi.json`, etc., is a common real-world recon technique.
- Security controls like **authentication**, **authorization**, and **role-based access** must be enforced at the **API layer**, not just the UI.