High-level logic vulnerability

Description

This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price.

Reproduction and proof of concept

  1. With Burp running, log in with wiener:peter and add a cheap item to your cart.

  2. In Burp, go to Proxy -> HTTP history and study the corresponding HTTP messages. Notice that the quantity is determined by a parameter in the POST /cart request.

  3. Go to the Intercept tab and turn on interception. Add another item to your cart and go to the intercepted POST /cart request in Burp.

  4. Change the quantity parameter to an arbitrary integer, then forward any remaining requests. Observe that the quantity in the cart was successfully updated based on your input.

  5. Repeat this process, but request a negative quantity this time. Check that this is successfully deducted from the cart quantity.

  6. Request a suitable negative quantity to remove more units from the cart than it currently contains. Confirm that you have successfully forced the cart to contain a negative quantity of the product. Go to your cart and notice that the total price is now also a negative amount.

  7. Add the leather jacket to your cart as normal. Add a suitable negative quantity of the another item to reduce the total price to less than your remaining store credit.

  8. Place the order to solve the lab.

Business logic

Exploitability

An attacker will need to log in and buy a “Lightweight l33t leather jacket” for a price way less than intended.