Flawed Enforcement of Business Rules

Introduction

Hello friends, I hope you all are doing well. This is our 5th article on business logic vulnerabilities. We are covering PortSwigger Web Security Labs, and today we will solve the “Flawed Enforcement of Business Rules” lab.

Lab Description For Flawed enforcement of business rules

Flawed enforcement of business rules

This lab focuses on a business logic flaw. To solve the lab, we need to exploit the flaw by purchasing the “Lightweight l33t leather jacket” product.

Lab credentials: username=wiener, password=peter.

Lab Solution

The flaw in this lab can be exploited using a coupon code. We are provided with two coupon codes, one for login and the other for signup.

First, we need to access the lab. After accessing it, we log in using the provided credentials. Upon login, we are given $100 credit.

Flawed enforcement of business rules

At the start of the lab, you receive a coupon code, “NEWCUST5,” which you should use when logging in.

Flawed enforcement of business rules

We also find a sign-up button.

Flawed enforcement of business rules

In the sign-up form, I entered a random email ([email protected]) and received the second coupon code, “SIGNUP30.” Now we have two coupon codes. Let’s go shopping.

At the beginning of the lab, we were informed that we would purchase the “Lightweight l33t Leather Jacket” product.

Flawed enforcement of business rules

I added the product to the cart and used the two coupon codes, “NEWCUST5” and “SIGNUP30.”

I repeated this process four times.

a

Flawed enforcement of business rules

First, I used the 1st coupon code, then the 2nd coupon code. By doing this, I reduced the price twice. Now I will repeat the same process again.

Flawed enforcement of business rules

As you can see, by applying the same coupon codes four times, I set the product price to 0. However, setting the price to 0 is not necessary. You can purchase it for less than $100 since you have only $100 credit.

Flawed enforcement of business rules

Congratulations! After placing the order, we have successfully solved the “Flawed Enforcement of Business Rules” lab in PortSwigger Web Security.

VIsit our website for further web security topics. We regularly upload articles related to web security. You can also follow me on Twitter @masaudsec.

Leave a Comment