Insufficient workflow validation
Description
This lab makes flawed assumptions about the sequence of events in the purchasing workflow.
Reproduction
With Burp running, log in with
wiener:peter
and buy any item that you can afford with your store credit.Study the proxy history. Observe that when you place an order, the
POST /cart/checkout
request redirects you to an order confirmation page. SendGET /cart/order-confirmation?order-confirmation=true
to Burp Repeater.Add the leather jacket to your basket.
In Burp Repeater, resend the order confirmation request. Observe that the order is completed without the cost being deducted from your store credit and the lab is solved.
PoC
Exploitability
An attacker will need to log in, fiddle around in the order flow and buy a “Lightweight l33t leather jacket” for free.