Hidden API Functionality Exposure

Introduction

Details

The swagger UI documentation of dvws-node can be seen by going to http://dvws.local/api-docs/#/

hiddenapiexp

Multiple API calls can be found by parsing this swagger endpoint which cannot be found by simply browsing the application. One example of such API call is the /api/v2/passphrase HTTP request and the dvwsuserservice XML endpoint which is found in the admin area.

POST /api/v2/passphrase HTTP/1.1
Host: dvws.local
Content-Length: 67
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSIsInVzZXI6YWRtaW4iXSwiaWF0IjoxNTk4MDMzODg1LCJleHAiOjE1OTgyMDY2ODUsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.-w8gEdwzWNmQOXFVRHkwkAT7TCBto6V5L00Mk3x31Gs
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Content-Type: application/json;charset=UTF-8
Origin: http://dvws.local
Referer: http://dvws.local/passphrasegen.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

{"passphrase":"534c495e744d35387e675936653b762d","reminder":"test"}

Solutions

FAQ

Questions

Hidden API Functionality Exposure

Introduction

Details

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Solutions

FAQ

Clone this wiki locally