0

Recently I started creating a CTF challenge based on Drupal 8. I want to create a REST API parameter that will be vulnerable to SQLi. Even if this isn't something I should ask for here, I decided to do it in case anyone who knows Drupal is willing to help. I don't know Drupal much and I'm not sure about configuration.

What I'm trying to do is to configure Drupal to make API calls every time someone clicks on a user profile and this call should be exposed. When anyone opens, for example, Chrome/Firefox developer tools the API request can be seen.

Something like this:

enter image description here

I'm not sure how to configure such an API request in Drupal, and also later then tweak it to be vulnerable, as I haven't actually dealt with Drupal config files before. I have a website mostly done and I created user accounts with accessible profiles. I also installed API modules to set up RESTful Web Services, however at this point I'm a little lost and any guidance would be much appreciated.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Com
  • 1
  • Welcome Com! I understand you end goal deals with SQL injection, but the underlying question you have seems more like a software/configuration question and not a security question: "How do I configure Drupel to make an API calls when a someone clicks on a user profile?". You will probably have a better chance finding the answer you are looking for on StackOverflow – iraleigh May 06 '20 at 19:41
  • I didn't realize this when I commented, but there is a stack exchange site for [Drupal](https://drupal.stackexchange.com) Anyways, I am not a Drupal expert, but it sounds like Drupal docs on [AJAX](https://api.drupal.org/api/drupal/core%21core.api.php/group/ajax/8.6.x) may be helpful for the use case you are trying to implement. Hope this helps. – iraleigh May 06 '20 at 21:35
  • This is certainly a step forward. Thanks! – Com May 07 '20 at 10:24

0 Answers0