Sokudo

BugForge tells me the hint on Sokudo today is BAC.

Todays lab was a difficult one. Not really difficult, but I forgot to test something that I didn't had shizzled down in my notes.

There was an endpoint that was quite 'chatty'. The endpoint /api/stats gave back a lot of information, including the user_id.

Whenever we see something like this in a GET request, we should consider if we could

• Change our own data with a PUT request

• Change somebody else's data with a PUT request.

I decided to go straight for that last one because, well, sometimes I'm impatient like that.

If you change the request body in BurpSuite, it defaults to application/x-www-form-urlencoded , make sure to change this to application/json if you're passing JSON.

I updated someone else's data, and my reward for doing that was the flag 🇧🇪