Write-up: Excessive trust in client-side controls @ PortSwigger Academy

This write-up for the lab Excessive trust in client-side controls is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → Business logic vulnerabilities

Python script: script.py

Lab description

Steps

Analysis

As usual, the first step is to check out the website. It is the usual shop website used in numerous labs already. Logging in with the known credentials I see that I have 100$ in store credit, which puts the jacket slightly out of the possible range

A quite expensive jacket

So what happens when I put it in the cart? It lands there, but placing the order brings the reality check — it is too expensive:

Unfortunately, I lack the funds required to purchase it

So have a look at the requests done so far in Burp. The request to add it to the card looks rather promising, as it contains the price as a parameter.

Request to add an article contains a price parameter

The malicious payload

Send that request to Repeater and change the price to something more reasonable. After all, it is just a leather jacket:

Manipulated request containing a lower price tag

Now, the looks much better already:

The application uses the user-provided value in the cart

As a last line of defense, the application should validate that the price in the request matches the price known by the backend application. Alas, after placing the order, I still have a sizeable amount of store credit left:

Order confirmation with manipulated price

At the same time, the lab updates to

--

--

Tech nerd, doing security stuff for fun and some as a job | CISSP, OSCP. Read all stories on medium and support me: https://medium.com/@frank.leitner/membership

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Frank Leitner

Tech nerd, doing security stuff for fun and some as a job | CISSP, OSCP. Read all stories on medium and support me: https://medium.com/@frank.leitner/membership