Hello, I could need help with the new module “API Attacks”. Im currently working at the topic “Security Misconfiguration” and the second task is called “Submit the header and its value that expose another Security Misconfiguration in the API”. I have worked on it for hours, and I still dont know what is wrong with the header:
HI I am struggling with the Unrestricted Resource Consumption task.
Exploit another Unrestricted Resource Consumption vulnerability and submit the flag. The hint says focus on sms-otps. I do not understand the relevance of the otp-s to this topic. Can you give me some kind of a hint?
This is the last question that I am stuck on, I’ve finished everything else in the module. I’ve tried to use external URLs for uploading files to trigger CORS via the API but I don’t see anything of interest returned in the headers.
The server recognizes the request as coming from the same origin (since it’s a direct request to the URL), and as a result, it does not include any CORS headers in the response.
By adding the Origin header, you are simulating a request that looks like it is coming from a different origin (i.e., -H "Origin: *").
The server sees this request as a potential cross-origin request and responds with CORS headers and reveals the answer, which in this case indicates that it allows requests from any origin. Therefore, it is “another Security Misconfiguration in the API”.
Alternatively, instead of curl, you can do it within Firefox > Inspect
