Insufficient workflow validation | Dec 20, 2022
Introduction
Welcome to my another writeup! In this Portswigger Labs lab, you'll learn: Insufficient workflow validation! Without further ado, let's dive in.
- Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆
Background
This lab makes flawed assumptions about the sequence of events in the purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
Exploitation
Home page:
Login as user wiener:
Now, we can try to buy the Lightweight l33t leather jacket:
When we clicked the Add to cart button, it'll send a POST request to /cart, with parameter productId=1, redir=PRODUCT and quantity.
Then, we can go to /cart page:
As you can see, we have added that product to our cart.
Let's try to click the Place order button:
When we clicked that button, it'll send a POST request to /cart/checkout, with parameter csrf.
Let's forward that request:
When we don't have enough store credits, it'll send a GET request to /cart, with parameter err=INSUFFICIENT_FUNDS.
Let's remove that product from our cart:
When we clicked the Remove button, it'll send a POST request to /cart, with parameter productId, quantity and redir=CART.
Armed with above information, what if we successfully bought a product?
Let's say product Eggtastic, Fun, Food Eggcessories
When we have enough store credits, it'll send a GET request to /cart/order-confirmation, with parameter order-confirmed=true.
Hmm… What if we add the leather jacket to cart, and then send a GET request to /cart/order-confirmation with parameter order-confirmed=true?
Let's do that:
We did it!
What we've learned:
- Insufficient workflow validation