API 10

This exercise covers a common filter bypass in API.

PRO
Tier
Medium
< 1 Hr.
144
API Badge

Course


In this challenge, the objective is to register an account that the application will interpret as an administrator account. The application checks for an email domain of @libcurl.so to identify administrators but blocks direct registration with such an email. To bypass this, you need to find a way to create an email that the application will accept during registration and later recognize as an administrative email.

During the registration process, the application has a filter that prevents emails ending with @libcurl.so. However, the application also checks for administrative privileges using a slightly different method. By manipulating the email address to include another domain and an extra "@" symbol, you can trick the application into treating it as an administrative email after registration. This involves a common mistake where initial filters are not consistently applied throughout the application's logic.

Want to learn more? Get started with PentesterLab Pro! GO PRO