Skip to content

Business logic vulnerabilities

Jump to bottom
Alnoman Kamil edited this page Nov 21, 2024 · 5 revisions

Apprentice lab:
Excessive trust in client-side controls

This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter

  • Solution

    1. Click on View details of the item.
    2. Intercept on and click on Add to cart.
    3. Modify price of the item, in the POST request.
    4. Go to My account, and log in as wiener:peter.
    5. Go to shop cart and click on Place order.

Apprentice lab:
High-level logic vulnerability

  • Solution

    1. Log in wiener:peter.
    2. Add stuff to cart.
    3. Modify POST request and change parameter quantity to something else.
    4. Refresh page and notice it's reflected to the website, indicating that price can be controlled.

Apprentice lab:
Inconsistent security controls

  • Solutiion

    1. Register.
    2. Change email to required usergroup @dontwannacry.com.
    3. Access /admin.
    4. Delete carlito.

Apprentice lab:
Flawed enforcement of business rules

  • Solution

    1. Log in as wiener:peter.
    2. Add to cart the hax0r jacket.
    3. Apply a coupon, then apply a different one, alternating.
    4. boom.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clone this wiki locally