Business logic vulnerabilities - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Excessive trust in client-side controls

This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter

  • Solution

    1. Click on View details of the item.
    2. Intercept on and click on Add to cart.
    3. Modify price of the item, in the POST request.
    4. Go to My account, and log in as wiener:peter.
    5. Go to shop cart and click on Place order.

Apprentice lab:
High-level logic vulnerability

  • Solution

    1. Log in wiener:peter.
    2. Add stuff to cart.
    3. Modify POST request and change parameter quantity to something else.
    4. Refresh page and notice it's reflected to the website, indicating that price can be controlled.

Apprentice lab:
Inconsistent security controls

  • Solutiion

    1. Register.
    2. Change email to required usergroup @dontwannacry.com.
    3. Access /admin.
    4. Delete carlito.

Apprentice lab:
Flawed enforcement of business rules

  • Solution

    1. Log in as wiener:peter.
    2. Add to cart the hax0r jacket.
    3. Apply a coupon, then apply a different one, alternating.
    4. boom.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️