Business Logic Vulnerabilities - Lab #4 Flawed enforcement of business rule | Short Version

hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number four in the business logic vulnerabilities module titled flawed enforcement of business rules all right let's get started this lab has a logic flaw in its purchasing workflow to solve the lab exploit this flaw to buy a lightweight Le leather jacket you can log into your own account using the following credentials all right so the target goal over here is to exploit the logic flaw to buy this item over here for less than the intended price and the way we're going to do that is first log in as a user and then attempt to identify the vulnerability all right let's access the lab now notice over here this is the built-in browser in burp and so all my requests are already passing through my proxy all right the first thing we're going to do is go to my account and then log in with the credentials that we were given so the password was Peter hit log in and then you could see over here the store credit that we have is $100 we're going to click on home and look for the item that we need to purchase so that would be this item right over here so the lightweight Le leather jacket which costs $1,337 and we clearly can't afford that because we only have $100 so let's click on view details go down add to cart and send that request to repeater and then from there go to our cart and notice over here we've got a new functionality that allows us to add a coupon and you could see over here you get a coupon for being a new customer and it knocks off $5 or maybe 5% off of the cost of the jacket so let's assume that we tried everything that we tried in the previous uh couple of labs and it didn't work and so now we're going to test the coupon functionality to see if there's any vulnerabilities in that functionality so let's add a coupon over here click apply and we're going to send that request to repeater as well so that we could test it and you can see over here it knocks off $5 and then I'm going to place order and send that request to repeater as well all right so it says over here not enough store credit for this purchase cuz cost 1,332 after the discount and we only have $100 so let's go to repeater and see the requests that were made by the application so when we clicked on place order it performed this request over here and if we look at the parameters that this request takes it just takes in a csrf token so this is definitely not the request that we want to um exploit because it doesn't take in any client side parameters that could potentially change the price of the item so um let's move on to the next request the next one is when we added a coupon to the cart so over here it knocked off $5 uh for the item and so what I'm going to do is I'm going to check the parameters that it takes in you could see over here there's a csrf token so that's standard and then the next parameter that it takes is the value of the coupon a really classic case that I've seen in real world applications is that the application doesn't check if you've applied the coupon before and so it allows you to apply it an infinite number of uh times so let's see if that's the vulnerability in this application so you get a 302 let's reload our page and over here it says the coupon is already applied so it does not allow us to apply the coupon more than one time now you could always guess any other coupons is so if there's no throttling mechanism over here you could send a million requests to the application within a few minutes and then try to see if there's any other coupons uh that are not discovered in the application but this is under the business logic vulnerabilities module and so it should be a business logic flaw that we need to exploit and so to do that we need to see if there's any other part of the application that could potentially allow us to exploit that business logic flaw so let's go to home and then go down to see if there's any new functionality so there is a functionality that allows us to sign up to their newsletter so let's just test it out say test t. ca and click on sign up and over here it says use the coupon sign up 30 at checkout so because we signed up it gave us a coupon that maybe knocks off $30 off of our account so let's go to the card over here and then let's add the coupon to see if we could use it hit

apply and we can and it looks like it knocked off $401 so maybe 30% of the cost it looks like it's a little bit more than 30% of the cost of the uh price or maybe it is 30% and I can't do math uh but the idea is that it allows you to add as many coupons as you want now this is still $939 and so we still can't afford it so let's see if we could add this coupon multiple times hit send and then reload the page and it gives you the same error which is coupon is already applied so the next thing that I'm going to try is try and add this coupon if the backend code only verifies the last coupon that you added then maybe we can get away with alternating the coupons and then reducing the price to less than $100 so let's try that over here and see if it works let's reload the page and here we go we could apply the coupon again as long as it's not consecutively so when we tried new cust 5 and then again right after the first one we weren't allowed to do it but because we used another coupon the application seems to only check the last coupon and if it's not equal to the last coupon that then it allows us to apply it again and so let's do that for that sign up 30 hit send reload the page and it allowed us to apply it so we're at 524 let's hit send again reload the page okay we're getting there hit send reload the page and we're at 118 so we're almost there hit send and that's not going to work because it's we're already at sign up 30 so it needs to be at new cust five hit send reload the page we're at 113 so we only need one more request with sign up 30 and it should work and here we go so the total is z00 let's see if the application allows us to perform this request click on place order and here we go it says congratulations you solve the lab all right so we successfully completed the exercise by exploiting the vulnerability manually now let's script it in Python if you would like to see a detailed version of the video where we first exploit the vulnerability manually and then script it in Python check out the video linked on the screen also make sure to hit the Subscribe button and check out my of course if you're interested in seeing more videos like this one thank you and see you in the next video