{ "info": { "_postman_id": "c9f08297-a5f2-44f7-8562-4cd2acf601bf", "name": "Vulnurable Shop API", "description": "API for the Vulnerable Shop Application", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", "_exporter_id": "17005336" }, "item": [ { "name": "Warm-up", "item": [ { "name": "Authenticate and Fetch a valid Access Token", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get products of the shop by its ID", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get shops by Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"owner_id\": \"string\",\n \"sales\": 3479.8808531580903,\n \"profit\": 7125.639425838371,\n \"discount_codes\": \"string\",\n \"discount_dates\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get information for all shops", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all products managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all shops managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Warm-up Level." }, { "name": "BOPLA", "item": [ { "name": "Authenticate and Fetch a valid Access Token", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Buy a product via the Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "5363", "description": "Specify Amount" }, { "key": "price", "value": "4263.154675769987", "description": "Specify Price" }, { "key": "shop_id", "value": "string", "description": "Specify Shop ID" }, { "key": "user_id", "value": "string", "description": "Specify User ID" } ] }, "url": { "raw": "{{baseUrl}}/buy/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "buy", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "5363", "description": "Specify Amount" }, { "key": "price", "value": "4263.154675769987", "description": "Specify Price" }, { "key": "shop_id", "value": "string", "description": "Specify Shop ID" }, { "key": "user_id", "value": "string", "description": "Specify User ID" } ] }, "url": { "raw": "{{baseUrl}}/buy/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "buy", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "5363", "description": "Specify Amount" }, { "key": "price", "value": "4263.154675769987", "description": "Specify Price" }, { "key": "shop_id", "value": "string", "description": "Specify Shop ID" }, { "key": "user_id", "value": "string", "description": "Specify User ID" } ] }, "url": { "raw": "{{baseUrl}}/buy/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "buy", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"shop_id\": \"string\",\n \"description\": \"string\",\n \"price\": 4350.176815151816,\n \"amount\": 3914,\n \"sold\": 1837,\n \"picture\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get products of the shop by its ID", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get shops by Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"owner_id\": \"string\",\n \"sales\": 3479.8808531580903,\n \"profit\": 7125.639425838371,\n \"discount_codes\": \"string\",\n \"discount_dates\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get information for all shops", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all products managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all shops managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get userinfo by the Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id", "value": "string", "description": "Specify User ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Admins' Area: Update existing user information", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Broken Property Level Authorization. Use `verifier=bopla-{num}`." }, { "name": "SSRF", "item": [ { "name": "Authenticate and Fetch a valid Access Token", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"shop_id\": \"string\",\n \"description\": \"string\",\n \"price\": 4350.176815151816,\n \"amount\": 3914,\n \"sold\": 1837,\n \"picture\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Update the information based on product_id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all products managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all shops managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get userinfo by the Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id", "value": "string", "description": "Specify User ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Admins' Area: Update existing user information", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Server-Side Request Forgery" }, { "name": "BFLA", "item": [ { "name": "Authenticate and Fetch a valid Access Token", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"shop_id\": \"string\",\n \"description\": \"string\",\n \"price\": 4350.176815151816,\n \"amount\": 3914,\n \"sold\": 1837,\n \"picture\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Update the information based on product_id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Delete specified product", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "DELETE", "header": [], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "DELETE", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "DELETE", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Update the information based on product_id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get products of the shop by its ID", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id/products?verifier=1&loglevel=info", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." }, { "key": "loglevel", "value": "info" } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get shops by Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id", "value": "string", "description": "Specify Shop ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"owner_id\": \"string\",\n \"sales\": 3479.8808531580903,\n \"profit\": 7125.639425838371,\n \"discount_codes\": \"string\",\n \"discount_dates\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops/:shop_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops", ":shop_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "shop_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get information for all shops", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all products managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/products?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "products" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get all shops managed by the user based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/shops?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", "shops" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get userinfo by the Id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id", "value": "string", "description": "Specify User ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users/:user_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users", ":user_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "user_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Get the user information based on *access_token*", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"accessToken\": \"string\",\n \"id\": \"string\",\n \"password\": \"string\",\n \"role\": \"ceo\",\n \"address\": \"string\",\n \"phone\": \"string\",\n \"name\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Admins' Area: Update existing user information", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "id", "value": "string" }, { "key": "name", "value": "string" }, { "key": "password", "value": "string" }, { "key": "role", "value": "string" }, { "key": "address", "value": "string" }, { "key": "phone", "value": "string" } ] }, "url": { "raw": "{{baseUrl}}/users?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "users" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Broken Function Level Authorization. Use `verifier=bfla-{num}`." }, { "name": "Unsafe API", "item": [ { "name": "Authenticate and Fetch a valid Access Token", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "password", "value": "password1", "description": "Type your password" }, { "key": "username", "value": "user1", "description": "Type your username" } ] }, "url": { "raw": "{{baseUrl}}/authenticate?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "authenticate" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Unsafe API Vulnerabilities" }, { "name": "BOLA", "item": [ { "name": "Get the user information based on *access_token*", "request": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "GET", "header": [ { "key": "Accept", "value": "application/json" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "json", "header": [ { "key": "Content-Type", "value": "application/json" } ], "cookie": [], "body": "{\n \"id\": \"string\",\n \"name\": \"string\",\n \"shop_id\": \"string\",\n \"description\": \"string\",\n \"price\": 4350.176815151816,\n \"amount\": 3914,\n \"sold\": 1837,\n \"picture\": \"string\"\n}" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "GET", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Update the information based on product_id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "POST", "header": [ { "key": "Content-Type", "value": "*/*" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "raw", "raw": "{\n \"amount\": 54,\n \"description\": \"string\",\n \"name\": \"string\",\n \"picture\": \"string\",\n \"price\": 208.22608567059308,\n \"product_id\": \"string\",\n \"shop_id\": \"string\",\n \"sold\": 515\n}" }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Delete specified product", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "DELETE", "header": [], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "DELETE", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "DELETE", "header": [ { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] }, { "name": "Sellers' Area: Update the information based on product_id", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id", "value": "string", "description": "Specify Product ID" } ] } }, "response": [ { "name": "The Request could be processed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "OK", "code": 200, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" }, { "name": "Exception occured. Operation not allowed.", "originalRequest": { "method": "PATCH", "header": [ { "key": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "key": "Authorization", "value": "Bearer ", "description": "Added as a part of security scheme: bearer" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "amount", "value": "54", "description": "Specify Product Amout" }, { "key": "description", "value": "string", "description": "Specify Product Description" }, { "key": "name", "value": "string", "description": "Specify Product Name" }, { "key": "picture", "value": "string", "description": "Specify Product Picture URL" }, { "key": "price", "value": "208.22608567059308", "description": "Specify Product Price" }, { "key": "product_id", "value": "string", "description": "Specify Product ID" }, { "key": "shop_id", "value": "string", "description": "Specify Product Shop ID" }, { "key": "sold", "value": "515", "description": "Specify Product Sold" } ] }, "url": { "raw": "{{baseUrl}}/products/:product_id?verifier=1", "host": [ "{{baseUrl}}" ], "path": [ "products", ":product_id" ], "query": [ { "key": "verifier", "value": "1", "description": "Verifier controlling the verification logic of the vulnerable service." } ], "variable": [ { "key": "product_id" } ] } }, "status": "Unauthorized", "code": 401, "_postman_previewlanguage": "text", "header": [], "cookie": [], "body": "" } ] } ], "description": "Endpoints Relevant for Broken Object Level Authorization. Use `verifier=bola-{num}`." }, { "name": "tokens Revoke Post", "request": { "method": "GET", "header": [], "url": { "raw": "{{baseUrl}}/reset", "host": [ "{{baseUrl}}" ], "path": [ "reset" ] } }, "response": [] } ], "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{bearerToken}}", "type": "string" } ] }, "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "packages": {}, "requests": {}, "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "packages": {}, "requests": {}, "exec": [ "" ] } } ], "variable": [ { "key": "baseUrl", "value": "https://rest.e-hacking.de/rest-api-sec/vuln_shop" } ] }