Low-level logic flaw

Description

This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price.

Reproduction and proof of concept

  1. With Burp running, log in with wiener:peter and attempt to buy the leather jacket. The order is rejected because you don’t have enough store credit. In the proxy history, study the order process. Send the POST /cart request to Burp Repeater.

  2. In Burp Repeater, notice that you can only add a 2-digit quantity with each request. Send the request to Burp Intruder.

Business logic

  1. Go to Burp Intruder. On the Positions tab, clear all the default payload positions and set the quantity parameter to 99.

Business logic

  1. On the Payloads tab, select the payload type Null payloads. Under Payload options, select Continue indefinitely. Start the attack.

Business logic

  1. While the attack is running, go to your cart. Keep refreshing the page every so often and monitor the total price. Eventually, notice that the price suddenly switches to a large negative integer and starts counting up towards 0. The price has exceeded the maximum value permitted for an integer in the back-end programming language (2,147,483,647), because the integer is stored as a 32 bit value in memory. As a result, the value has looped back around to the minimum possible value (-2,147,483,648).

  2. Clear your cart. In the next few steps, we’ll try to add enough units so that the price loops back around and settles between \(0 and the \)100 of your remaining store credit. This is not mathematically possible using only the leather jacket.

  3. Create the same Intruder attack again, but this time, under Payloads -> Payload Options, choose to generate exactly 323 payloads.

Business logic

  1. Go to the Resource pool tab and add the attack to a resource pool with the Maximum concurrent requests set to 1. Start the attack.

Business logic

  1. When the Intruder attack finishes, go to the POST /cart request in Burp Repeater and send a single request for 47 jackets. The total price of the order should now be -$1221.96.

  2. Use Burp Repeater to add a suitable quantity of another item to your cart so that the total falls between \(0 and \)100.

  3. Place the order to solve the lab.

Business logic

Exploitability

An attacker will need to log in and buy a “Lightweight l33t leather jacket” for a price way less than intended.