siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

Insufficient workflow validation | Dec 20, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Insufficient workflow validation! Without further ado, let’s dive in.

Background

This lab makes flawed assumptions about the sequence of events in the purchasing workflow. To solve the lab, exploit this flaw to buy a “Lightweight l33t leather jacket”.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

Now, we can try to buy the Lightweight l33t leather jacket:

When we clicked the Add to cart button, it’ll send a POST request to /cart, with parameter productId=1, redir=PRODUCT and quantity.

Then, we can go to /cart page:

As you can see, we have added that product to our cart.

Let’s try to click the Place order button:

When we clicked that button, it’ll send a POST request to /cart/checkout, with parameter csrf.

Let’s forward that request:

When we don’t have enough store credits, it’ll send a GET request to /cart, with parameter err=INSUFFICIENT_FUNDS.

Let’s remove that product from our cart:

When we clicked the Remove button, it’ll send a POST request to /cart, with parameter productId, quantity and redir=CART.

Armed with above information, what if we successfully bought a product?

Let’s say product Eggtastic, Fun, Food Eggcessories

When we have enough store credits, it’ll send a GET request to /cart/order-confirmation, with parameter order-confirmed=true.

Hmm… What if we add the leather jacket to cart, and then send a GET request to /cart/order-confirmation with parameter order-confirmed=true?

Let’s do that:

We did it!

What we’ve learned:

  1. Insufficient workflow validation