In this article, we will cover the PortSwigger Web Security lab “Insufficient workflow validation.” We are explaining various business logic flaws practically, and this is our 8th article focusing on business logic flaws.
Lab Description Of Insufficient Workflow Validation
This lab highlights a business logic flaw in the purchasing process. To solve the lab, we need to exploit this flaw and purchase the “Lightweight l33t leather jacket” product. The lab provides us with the username “wiener” and password “peter.”
Lab Solution Of Insufficient Workflow Validation
Firstly, we need to access the lab. After accessing the lab, we click on “My Account” and log in using the provided credentials. Once logged in, we are presented with the front page showing a shop.
Our account currently has only $100 credit. We need to buy a product that we can afford. We randomly selected the “Dancing In The Dark” product and clicked on “View Details.”
Next, we enable the Burp Suite proxy. After enabling the proxy, we add the product to the cart and proceed to checkout. This way, we have successfully purchased the product.
Now, we will perform the main steps. We navigate to the Burp Suite proxy tab and view the HTTP proxy history. We carefully analyze the requests and responses. During the analysis, we observe that the order confirmation is being generated through a GET-based request.
You can closely examine the provided screenshot to see the request:
We have copied it. We will use it in the request for the “Lightweight l33t leather jacket” product to bypass security and purchase the product quickly.
Now, we will view the Lightweight “l33t” Leather Jacket product and add it to the cart. After adding it to the cart, we will proceed to the cart.
You can see that we only have $73 available, while the price of the product is $1337. We will place the order for this product. Before clicking on “Place Order,” we will enable our Burp Suite proxy.
When I clicked on “Place Order” and analyzed the traffic in Burp Suite, I received a request that clearly mentioned “Not enough store credit for this purchase.”
Now, I will send this request to the Burp Suite Repeater tab.
After sending it to the Repeater, I tricked the server. I cleaned the data in the GET request and replaced it with “/cart/order-confirmation?order-confirmed=true” and forwarded the request. If you recall, this is the same request we used when buying the first product.
Finally, I refreshed the page in the browser, and congratulations, we have solved the PortSwigger Web Security lab “Insufficient workflow validation.” Well done, everyone! You can also follow me on Twitter at @masaudsec.
If you want to cover web security comprehensively, you can learn from our website. All the best!