API 13

This exercise covers a complex filter bypass in API.

< 1 Hr.
API Badge


In this challenge, your task is to find a way to register an account that the application will interpret as an administrator account. The code checks for an email address in @libcurl.so to verify if you are an administrator but also prevents you from registering with a libcurl.so email address. To bypass this restriction, you will need to use a Unicode-based approach.

The video demonstrates how to exploit this vulnerability by substituting characters in the email address with their Unicode equivalents. For example, replacing the 'i' in libcurl.so with a dotless 'i' can trick the application into validating the email as an administrative one. This allows you to bypass the email validation check and gain elevated privileges inside the application.

Want to learn more? Get started with PentesterLab Pro! GO PRO