Write-up: Excessive trust in client-side controls @ PortSwigger Academy

This write-up for the lab Excessive trust in client-side controls is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → Business logic vulnerabilities

Lab: Excessive trust in client-side controls | Web Security Academy

This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items…

portswigger.net

Python script: script.py

Lab description

Steps

Analysis

As usual, the first step is to check out the website. It is the usual shop website used in numerous labs already. Logging in with the known credentials I see that I have 100$ in store credit, which puts the jacket slightly out of the possible range

So what happens when I put it in the cart? It lands there, but placing the order brings the reality check — it is too expensive:

Unfortunately, I lack the funds required to purchase it

So have a look at the requests done so far in Burp. The request to add it to the card looks rather promising, as it contains the price as a parameter.

Request to add an article contains a price parameter

The malicious payload

Send that request to Repeater and change the price to something more reasonable. After all, it is just a leather jacket:

Manipulated request containing a lower price tag

Now, the looks much better already:

The application uses the user-provided value in the cart

As a last line of defense, the application should validate that the price in the request matches the price known by the backend application. Alas, after placing the order, I still have a sizeable amount of store credit left: