In this article, we will cover the High-level logic vulnerability lab. This lab has been provided to us by PortSwigger Web Security. This is our 3rd article on business logic vulnerabilities. If you want to learn throughout the entire series, you can visit our website, where we cover topics from basic to advanced levels.
Lab Description For High-level logic vulnerability
In this lab, user input is not properly validated, resulting in a business logic flaw. An attacker can exploit this flaw by setting their desired price and making purchases. To solve the lab, we will perform testing on the “Lightweight l33t leather jacket” product.
The lab provides us with a username and password: username=wiener&password=peter.
Firstly, access the lab. Once accessed, login and then view the “Lightweight l33t leather jacket” product.
You will find an “add to cart” button. Before pressing it, enable interception in Burp Suite. After intercepting the request, send it to the repeater tab.
You will see that the product has been added to the cart.
Now, go to the shop and select another item.
You can see that I have intercepted the request for the 2nd product as well. After intercepting, send it to the repeater tab.
Now comes an important step that I am going to explain to you. Go to the repeater tab and look for the 2nd product, which has a price of $50. Change its value to a negative number and forward the request.
I have set the quantity of the 2nd item to -10. Now, if you refresh the browser, you will see that the price has been reduced. We have $100 in our account, so keep reducing the price until it is less than or equal to $100.
You can see that I have reduced the quantity and the price is now $12.56.
After placing the order we solved the lab.
Congratulations! We have successfully solved the High-level logic vulnerability-lab from PortSwigger Web Security.