Hello friends, I hope you all are doing well. This is our 5th article on business logic vulnerabilities. We are covering PortSwigger Web Security Labs, and today we will solve the “Flawed Enforcement of Business Rules” lab.
Lab Description For Flawed enforcement of business rules
This lab focuses on a business logic flaw. To solve the lab, we need to exploit the flaw by purchasing the “Lightweight l33t leather jacket” product.
Lab credentials: username=wiener, password=peter.
The flaw in this lab can be exploited using a coupon code. We are provided with two coupon codes, one for login and the other for signup.
First, we need to access the lab. After accessing it, we log in using the provided credentials. Upon login, we are given $100 credit.
At the start of the lab, you receive a coupon code, “NEWCUST5,” which you should use when logging in.
We also find a sign-up button.
In the sign-up form, I entered a random email (email@example.com) and received the second coupon code, “SIGNUP30.” Now we have two coupon codes. Let’s go shopping.
At the beginning of the lab, we were informed that we would purchase the “Lightweight l33t Leather Jacket” product.
I added the product to the cart and used the two coupon codes, “NEWCUST5” and “SIGNUP30.”
I repeated this process four times.
First, I used the 1st coupon code, then the 2nd coupon code. By doing this, I reduced the price twice. Now I will repeat the same process again.
As you can see, by applying the same coupon codes four times, I set the product price to 0. However, setting the price to 0 is not necessary. You can purchase it for less than $100 since you have only $100 credit.
Congratulations! After placing the order, we have successfully solved the “Flawed Enforcement of Business Rules” lab in PortSwigger Web Security.
VIsit our website for further web security topics. We regularly upload articles related to web security. You can also follow me on Twitter @masaudsec.
To continue studying check out the next lab i.e. Low-Level Logic Flaw, cover the current lab before visiting the next lab. Good Luck!