Business Logic Vulnerabilities - Lab #5 Low Level Logic Flaw | Long Video

hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number five in the business logic vulnerabilities module titled low-level logic flaw all right before we continue with the video I'd like to announce that this video is part of a course that I offer on my Academy now you might be wondering why would I buy a course that is made available for free on YouTube well there are four reasons why you might want to do that number one is that you gain Early Access to recorded material as soon as I record new videos I make them available through my course right away whereas on YouTube they'll only be released on a weekly schedule reason number two is that you gain access to a Discord Channel where you can ask questions the Discord channel is divided into topics that we cover in the course and if you run into any issues you get to ask questions about anything related to the course material reason number three is that you no longer have to deal with YouTube ads or spons spor messages and last but not least reason number four is you get to support me any revenue generated from this course will go back into maintaining the academy and creating more videos and courses that will be made available for free on my YouTube channel so if you're interested in buying the course make sure to check out the link in the description and that is it let's go back to our video if you do not have an account on the websecurity academy you can get one by visiting the URL portswigger net websecurity and clicking on the sign up button I already have an account and I am logged in so to access the exercise I'm going to click on Academy select all Labs do a search on business logic vulnerabilities and select lab number five titled lowlevel logic flaw all right let's get started this lab doesn't adequately validate user input you can exploit a logic flaw in its purchasing workflow to buy items for an unintended price to solve the lab by a lightweight Le leather jacket you can log into your own account using the following credentials and we're given credentials to a regular user account all right so the target goal over here is to exploit a logic flaw in the purchasing workflow so that we could buy this jacket for an unintended price all right let's access the lab now notice over here this is the built-in browser in BB and so all my requests are already being passed in my burp proxy uh you'll also notice over here that I am using the professional version of burp and the reason I'm doing that is because I will be needing to use uh the Intruder functionality an intruder is extremely slow in the community Edition and so you will likely need the professional version for this lab so the first thing that we're going to do is click on my account and then log in with the credentials that we were given so the password was be hit log in and then go to home notice over here as usual we only have $100 worth of credit and the jacket cost 1,337 so we go down and then add to cart and then we go to our cart right over here and you could see the total again is much higher than the store credit now if we look at the post request when we add it to the cart you could see over here it takes in three parameters the product ID the redirect and the quantity now let's assume we tried everything that we had tried in the previous labs and none of those uh exploits worked so the next thing that you could try is you could always see if the application accepts a really large number of input and so what we're going to do over here is we're going to send this to repeater and in here let's make this a little bit bigger in here let's say two hit send so you could see over here if we reload the page you should have an extra two items of the jacket all right let's say 100 hit send and see if the application accepts that it does not so it says invalid parameter quantity so it doesn't accept um the 100 but it accepted two so my guess is it doesn't allow for three digits to be in this variable so it only allows two digits so let's try the maximum number of two digits which is 99 hit send and it accepts that so you should see over here an extra 99 jackets in your application all right so what we're going to try right now is and add an insanely large amount of jackets and see how the application is going to respond to that so at some point the application should stop me from adding jackets otherwise it

might cause some kind of crash in the back end that will allow the application to behave in a weird way that we could potentially exploit so to do that let's remove everything from my cart and let's send this to Intruder now in Intruder over here we're going to click on clear so that it doesn't fuzz any of these parameters we're going to keep this at 99 so what happens is with every request it's going to add 99 jackets and then we're going to go to payloads right over here and we're going to select null payloads cuz we're not actually fuzzing any specific parameter and then we're going to say continue indefinitely what that means is it's going to keep performing this request indefinitely until we stop it and the idea is that we're going to keep reloading the page to see if the application responds in a weird way that we could potentially exploit because it has such a large number of uh jackets now um to make sure that uh we could actually view the requests what we're going to do is we're going to create a new resource pool and we're going to say the maximum concurrent requests is one at a time just so that it doesn't perform 10,000 requests and we can't tell when the application started to behave in a weird way all right so let's start the attack now you could see over here it's performing the requests let's make this a little bit smaller and uh reload our cart so far we have 1,683 so we'll keep reloading and you can see this number is getting pretty large and uh the application so far hasn't stopped me from adding all these jackets so we'll keep reloading until we see something that is odd and just a quick note I've solved this lab before and it took a really long time to figure out what the vulnerability is and even longer to exploit the vulnerability so this is going to be a fun video so we continue to reload so far it's allowed me to buy over 10,000 jackets and you could see they cost an insane amount but nothing that we can exploit yet and again I'm continuously reloading the page and look at that we get a negative number so let's go to attack and pause now if we go over here we've done 173 requests so that would be 173 * 99 jackets that's as many jackets as we have which is over here and at some point it looped back to a negative number so in the back end it didn't have any validation on what the largest number could be and so it looped back to a negative number and now the more we add in the application so if we say 100 27 and we hit enter this number uh decreased because it's adding 1,337 to this negative value so the more we add the more this number is going to decrease and the idea over here is to add enough jackets right now since it loop back to add enough jackets to get this to a number that is negative but manageable and then what we're going to do is we're going to add other items in the application that don't have this price in order to get it to a positive number that is within our store credit which is $100 now one mistake and we have to redo the whole exploit so I'm hoping we don't make any mistakes in the exploit but it's very easy to make mistakes so we're going to copy this first of all and do some math to figure out how many jackets we're going to need to add in order to get it to a small number that we can manage so this is the cost of the jacket in a negative value and the cost of an individual jacket is 1 337 so that's equal to this number over here now we are adding 99 jackets at a time and so we're going to do this divided by 99 which means that we should be able to perform 150 requests to get this to a number that is a little bit more manageable for me so that I could figure out how to make it positive so let's go back to Intruder over here and now instead of continue indefinitely we're going to add let's say 145 payloads which means 99 * 145 jackets and we're going to start the attack so right now every time we load you should see the number decrease and hopefully it'll decrease to something that is manageable and then we're going to switch to manually adding uh those jackets just so that we don't risk making a mistake and having to start over

okay so I fast forwarded the videos so that you don't have to see me continuously reload the page now we're at about $590,000 uhar and again in the negative value and so if we go back to burp and we did 145 and we were allowed to do 150 so we're going to switch to doing this uh manually over here we're going to add another 99 so let's hit send and reload it so that's one I'm going to add another one so we're at two three and I'm a bit weary about adding a fourth one so let's copy this and do the math again to confirm that we're on the right track so 1337 so that's 144 and 144 is definitely less than 99 and so we should be able to do one more before it becomes positive so hit send and we're at 61 386964 so that would be equivalent to about 45 or 46 uh jackets and so we definitely can't perform this request over here because it adds 99 uh jackets so what we're going to do is we're going to try and add let's say 30 jackets hit send and see what that number came up to so we're at 21276 let's copy that and do the math again and again I'm doing the math every time because I really don't want it to reset to a lot large number and this way we'll have to do the exploit all over again and I don't want to do that so we're good for 15. 9 jackets and so I'm going to say 14 jackets hit send and see what we got to okay so 2558 so we're actually good to add one more jacket before it becomes positive hit send all right so we're at 1, 122196 and so what I'm going to do is instead of add a jacket which will I believe be bigger than $100 because it's 1337 and this is just 1221 what I'm going to do is I'm going to go to home and find an item that I can use so let's say the $19 one let's add that to our cart let's view the cart and I'm going to use this item over here to get this to a positive number that is between 0 and 100 so let's take this and divide it by 19 and there's a lot of math going on in this exploit this is actually a really clever exploit so we've got 63 so we could add 63 of this item over here so we're going to go to proxy and we're going to look for the request that was used to add this item to the card and it was this one right over here we're going to send this to repeater and over here what we're going to do is we're going to add let's say 60 of this item hit send and we're at 62. 9 so this is definitely a manageable number let's add two of this item again now we're at 24 and then let's add two more hit send and we're at 13. 04 so we're finally at a number between 0 and 100 so we should be able to afford it using our store credit right now and so when I click on place order it should order for me all 32,000 plus of this uh jacket over here and 65 of the backdrops so let's click on place order and here we go it says congratulations you solv the lab I'm so glad that I didn't have to do this multiple times in the video and it worked from the first time all right so we successfully completed the exercise usually we script the exercise

in Python however I really don't want to spend the time to figure out the exact math for my script to work and so I'm going to leave this as an exercise for you to do if you're interested in scripting it all right in the next Lab we're going to look at a more complex case of a business logic vulnerability if you like the video hit the Subscribe and share button so that the video reaches a wider audience also make sure to check out my course if you're interested in seeing more videos like this one thank you and see you in the next video