# API Fuzzing Android Emulator. The **HeyDoc** app's backend exposes certain endpoints that were intended to be called only by internal systems, but there are no access controls or IP restrictions in place. The developers assumed that no one would discover these obscure endpoints without documentation. **Objective:** Your task is to perform parameter type fuzzing to uncover the HeyDoc app's hidden API functions. The valid credentials for **HeyDoc** app are as follows: * **Username:** alice * **Password:** Bazinga\@12345# The following wordlist will be useful: * /home/student/Desktop/Wordlists/parameter-names.txt *** First LogIn nto the APP with the credentials given -->

Now, configure proxy cmd and Burp proxy--> ``` ## View us IP hostname -I ## Set local proxy adb shell settings put global http_proxy :8080 ```

In the basic functionatility of APK, we can get a appointment with the doctor selecting the hours -->

So, i can see into burpsuite, all peticions navegate into `/api/v1/appointments`,what happend if i do fuff into this directory -->

We can notice that two requests returned a **405** Method Not Allowed status code. They are: * **/api/v1/appointments/override** * **/api/v1/appointments/free\_all** We have found valid parameters: `override` and `free_all`. The 405 error indicates that the expected HTTP method is not GET, but something else.

We now get a different error, which means the backend is expecting some JSON data with this request. Since we don’t know what data it requires, let’s pass some dummy JSON data: ``` { "test": "test" } ``` Additionally, ensure that the following header is set to specify the content type: ``` Content-Type: application/json ```

Now, send the request again.

We are making progress. The response reveals that the expected JSON data should contain an appointment ID. From previous exploration, we know that appointments are represented by `id` values ranging from 1 to 4. Let's modify the JSON with this information and observe the response.

Success! It appears this hidden endpoint is used to override booked appointments. We have managed to book an appointment for user `alice` at a time slot that was previously unavailable because it was booked by another user. To confirm this, let’s hit the `/api/v1/appointments/mine` endpoint again.

Now, let's explore the next hidden endpoint: `/api/v1/appointments/free_all`. Send this request to **Repeater**. Change the request method to **POST** and observe the response.

The response indicates that this endpoint is used to free up all appointments. To confirm this, hit the `/api/v1/appointments` endpoint.

The `is_booked` value is now `false` for all appointment time slots. The same can be observed in the app. Make sure to first exit the app and then reopen it.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/android-dynamic-testing/labs-api/api-fuzzing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.