API 10

This exercise covers a common filter bypass in API.

< 1 Hr.
API Badge


In this challenge, the objective is to register an account that the application will interpret as an administrator account. The application checks for an email domain of @libcurl.so to identify administrators but blocks direct registration with such an email. To bypass this, you need to find a way to create an email that the application will accept during registration and later recognize as an administrative email.

During the registration process, the application has a filter that prevents emails ending with @libcurl.so. However, the application also checks for administrative privileges using a slightly different method. By manipulating the email address to include another domain and an extra "@" symbol, you can trick the application into treating it as an administrative email after registration. This involves a common mistake where initial filters are not consistently applied throughout the application's logic.

Want to learn more? Get started with PentesterLab Pro! GO PRO