Excessive trust in client-side controls | Dec 19, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Excessive trust in client-side controls! Without further ado, let’s dive in.

Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a “Lightweight l33t leather jacket”.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

Let’s go to the /cart page:

As you can see, we only have $100 store credit.

In the lab background, we need to buy the product Lightweight l33t leather jacket:

Let’s click view detail:

Now, we can click the Add to cart button, and intercept the request via Burp Suite:

When we clicked that button, it’ll send a POST request to /cart with parameter: productId=1, redir=PRODUCT, quantity=1, and price=133700.

Let’s forward that request, and go to /cart page:

In here, we see that the product has been added to our cart.

Let’s try to click Place order button:

When we clicked the Place order button, it’ll send a POST request to /cart/checkout with a parameter csrf.

Let’s forward that request and see what will happen:

When we don’t have enough store credit to buy a product, it’ll send a GET request to /cart with parameter err, and it’s value is INSUFFICIENT_FUNDS.

To exploit the application logic flaw, we need to Remove the product first: