Click the "Intercept is on" button so it changes to "Intercept is off".
Click the "Open Browser" button.
In Burp's browser, go to
https://crAPI.samsclass.info The crAPI login page opens, as shown below.
You see the "Vehicles Details" page, as shown below.
http://crAPId.samsclass.info:18025 Open the email to your address with a subject of "Welcome to crAPI".
Find your VIN and Pincode, as shown below.
Enter the VIN and Pincode from your email, and click "Verify Vehicle Details".
The Vehicle Details page opens, as shown below.
The Google Map updates with the location of your vehicle.
In Burp, on the HTTP History tab, find this request:
GET /identity/api/v2/vehicle/e7351296-7939-4c5b-acf0-96f65c7d12c3/locationThe long number is the vehicle GUID and yours will be different from the example above.
The location is sensitive data--you should not be allowed to learn the location of a different owner's vehicle.
Right-click this request and click "Send to Repeater".
A box pops up saying "Post Created". Click OK.
On the Response tab, scroll down and find Adam's vehicleid, as shown below.
Send the request. As shown below, the location of Adam's vehicle is returned. This is a Broken Object-Level Authorization (BOLA) vulnerability!
Flag AP 104.1: Message (10 pts)Send the request. The flag is covered by a green rectangle in the image below.