Introduction
Hello everyone, we are solving the PortSwigger Web Security labs. This is our 6th lab focusing on business logic vulnerabilities. In this lab, we will practically solve a Low-level logic flaw.
Lab Description For Low-level logic flaw
In this lab, user input is not properly validated. We can exploit the business logic flaw when purchasing a product. To solve the lab, we need to purchase the “Lightweight l33t leather jacket” product.
The lab credentials are already provided: username is “wiener” and password is “peter”.
Lab Solution For Low-level logic flaw
First, access the lab and log in.
After logging in, go to the shop and click on the “Lightweight l33t leather jacket” product.
Once clicked, you will see an “Add to Cart” button. Enable the Burp Proxy and intercept the request when clicking “Add to Cart”.
When you try to forward the request and place the product, you will encounter an error: “Not enough store credit for this purchase”.
Now, go to your Burp Proxy and carefully study the requests.
You will find a POST request with the name “POST/cart”. Send this request to the Burp Repeater.
In this request, I initially set the quantity to 1000, but I received an error from the server. Now I know that I can only increase the quantity value up to 2 digits, so I set it to 99.
Send this request to the Burp Intruder. After sending it to Intruder, add 99 as the value because we will perform brute-forcing on it.
Final Steps
In Intruder, clear all positions except the 2nd position, where we add 99.
Now go to the Payloads tab, select “Null Payload” as the payload type, and in the Payload Options, select “Continue indefinitely” and click “Start Attack”.
Once the attack starts, go to the cart page in your web browser and continuously refresh the page. You will see that the price keeps increasing. At some point, the price will exceed the limit and start going negative.
You will notice that the price exceeded the limit and started going negative. Now, turn off your attack.
Go back to the shop and add another product.
I have added a random product and increased the value of the first product to 32123. The current price of the first product is now -$1133.60.
So, I have set the value of the second product to 14, and now the price of my product is $15. I can now buy it.
After clicking on “Place Order,” you can see that we have solved the PortSwigger Web Security lab on Low-level logic flaw.
If you want to learn more about web security, you can visit our website. You can also follow us on Twitter @masaudsec.