# Business logic vulnerabilities ### Lab: Excessive trust in client-side controls This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. We intercepted the request at Add to cart option. We can see the request as follows ``` POST /cart HTTP/1.1 ... productId=1&redir=PRODUCT&quantity=1&price=133700 ``` We can change price to as we want. ``` productId=1&redir=PRODUCT&quantity=1&price=100 ``` Then go to the cart, we can see jacket's value is 1.00$. We can change price as we want. ### Lab: High-level logic vulnerability This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. We intercepted the request at Add to cart option. We can see the request as follows ``` POST /cart HTTP/1.1 ... productId=1&redir=PRODUCT&quantity=1 ``` We sent the request to Repeater. We can change quantity value as we want. It accepts negative, zero and positive decimal values. We can change the value as -1. ``` productId=1&redir=PRODUCT&quantity=-1 ``` Then go to the cart, we can see jacket's value is -1337.00$. Then we'll face this error: Cart total price cannot be less than zero So, if we combine positive and negative ones, can we buy them like this? We intercepted the request at Add to cart option of "Conversation Controlling Lemon". ``` productId=4&redir=PRODUCT&quantity=-26 ``` The we can see total amount is $99.40. With this situtation, we can buy these products. ### Lab: Low-level logic flaw This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. We intercepted the request at Add to cart option. We can set maxiumum value of quantity to 99. The price has exceeded the maximum value permitted for an integer in the back-end programming language (2,147,483,647). As a result, the value has looped back around to the minimum possible value (-2,147,483,647). If we can combine values of two products, we can make an order with this limit. We sent below request to repeater. ``` POST /cart HTTP/1.1 ... productId=1&redir=PRODUCT&quantity=1 ``` We added high number of it to get catch the proper value. ``` productId=1&redir=PRODUCT&quantity=99 ``` We sent to the request to Intruder with 326 null payloads. We can see total value as -$64060.96 After that we need to add some quantities of it to get proper value. We added 47 more. Then the total is -$1221.96. At this situation we can add other products to get proper value. Dancing In The Dark - $75.52 - 17 pieces. At the end, total value was $61.88. It is a proper one. We can place order.
NamePriceQuantity
Lightweight "l33t" Leather Jacket$1337.0032123
Dancing In The Dark$75.5217
### Lab: Inconsistent handling of exceptional input This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. There is /admin interface. Admin interface is only available if logged in as a DontWannaCry user. `@exploit-accd1fe01eba9513c0a3965d01ec0079.web-security-academy.net` At the registration phase, The very-long-string should be at least 200 characters long. `$ ./pattern_create.rb -l 250 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A` `aa0aa1aa2aa3aa4aa5aa6aa7aa8aa9ab0ab1ab2ab3ab4ab5ab6ab7ab8ab9ac0ac1ac2ac3ac4ac5ac6ac7ac8ac9ad0ad1ad2ad3ad4ad5ad6ad7ad8ad9ae0ae1ae2ae3ae4ae5ae6ae7ae8ae9af0af1af2af3af4af5af6af7af8af9ag0ag1ag2ag3ag4ag5ag6ag7ag8ag9ah0ah1ah2ah3ah4ah5ah6ah7ah8ah9ai0ai1ai2a@exploit-accd1fe01eba9513c0a3965d01ec0079.web-security-academy.net` then log in the account, we can see email addresses as `aa0aa1aa2aa3aa4aa5aa6aa7aa8aa9ab0ab1ab2ab3ab4ab5ab6ab7ab8ab9ac0ac1ac2ac3ac4ac5ac6ac7ac8ac9ad0ad1ad2ad3ad4ad5ad6ad7ad8ad9ae0ae1ae2ae3ae4ae5ae6ae7ae8ae9af0af1af2af3af4af5af6af7af8af9ag0ag1ag2ag3ag4ag5ag6ag7ag8ag9ah0ah1ah2ah3ah4ah5ah6ah7ah8ah9ai0ai1ai2a@expl` There are 255 chars. `aa0aa1aa2aa3aa4aa5aa6aa7aa8aa9ab0ab1ab2ab3ab4ab5ab6ab7ab8ab9ac0ac1ac2ac3ac4ac5ac6ac7ac8ac9ad0ad1ad2ad3ad4ad5ad6ad7ad8ad9ae0ae1ae2ae3ae4ae5ae6ae7ae8ae9af0af1af2af3af4af5af6af7af8af9ag0ag1ag2ag3ag4ag5ag6ag7ag8ag9ah0ah1ah2ah3ah4ah5ah6ah7ah8a@dontwannacry.com` We are matching the value as shown to get access admin rights. `aa0aa1aa2aa3aa4aa5aa6aa7aa8aa9ab0ab1ab2ab3ab4ab5ab6ab7ab8ab9ac0ac1ac2ac3ac4ac5ac6ac7ac8ac9ad0ad1ad2ad3ad4ad5ad6ad7ad8ad9ae0ae1ae2ae3ae4ae5ae6ae7ae8ae9af0af1af2af3af4af5af6af7af8af9ag0ag1ag2ag3ag4ag5ag6ag7ag8ag9ah0ah1ah2ah3ah4ah5ah6ah7ah8a@dontwannacry.com.exploit-accd1fe01eba9513c0a3965d01ec0079.web-security-academy.net` Then we need to register again with this email. After the login phase, we can see Admin panel tab. Your email is: The application server truncated the address associated with your account to 255 characters. As a result, you have been able to register with what appears to be a valid @dontwannacry.com address. ### Lab: Inconsistent security controls This lab's flawed logic allows arbitrary users to access administrative functionality that should only be available to company employees. We registered a new account. There is an info at register page. Registered with - `attacker@exploit-aca21ffe1e6dd48bc05d356c016b0026.web-security-academy.net` If you work for DontWannaCry, please use your @dontwannacry.com email address At the my account page there is a Email Update function. Changed with - `attacker2@exploit-aca21ffe1e6dd48bc05d356c016b0026.web-security-academy.net` There is no need verification. So we can change our email as we want. Changed with - `test@dontwannacry.com` Then we can access Admin panel. ### Lab: Weak isolation on dual-use endpoint This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. There is a change password function at my account page. The post request parameters are `csrf=PKVrI8YpD118cXeuRIiB5ULV7osgMvFb&username=wiener¤t-password=peter&new-password-1=pass&new-password-2=pass` We played with these variables. When we deleted the current-password variable from request, we could change password. `csrf=PKVrI8YpD118cXeuRIiB5ULV7osgMvFb&username=wiener&new-password-1=pass&new-password-2=pass` Then we tried to reset administrator pass. It did not check username neither. `csrf=PKVrI8YpD118cXeuRIiB5ULV7osgMvFb&username=administrator&new-password-1=cel1s0&new-password-2=cel1s0` So we could change administrator password to cel1s0. ### Lab: Insufficient workflow validation This lab makes flawed assumptions about the sequence of events in the purchasing workflow. We bought a product which was “Cheshire Cat Grin”. We can see workflow as follows: * POST /cart * GET /cart * POST /cart/checkout * GET /cart/order-confirmation?order-confirmed=true We can bypass POST /cart/checkout step. So we can avoid validation of having enough money. We added the product to the cart. Then you need to make this request. `GET /cart/order-confirmation?order-confirmed=true` ### Lab: Authentication bypass via flawed state machine This lab makes flawed assumptions about the sequence of events in the login process. We can see workflow as follows: * GET /login * POST /login * GET /role-selector * POST /role-selector * GET / If we can bypass the role-selector part, we can get admin rights. With the content discovery tool, we can identify /admin path. Answer: This workflow: * GET /login * POST /login * GET /admin ### Lab: Flawed enforcement of business rules This lab has a logic flaw in its purchasing workflow. New customers use code at checkout: NEWCUST5 Sign up to our newsletter! -> Use coupon SIGNUP30 at checkout! Try applying the codes more than once. Notice that if you enter the same code twice in a row, it is rejected because the coupon has already been applied. However, if you alternate between the two codes, you can bypass this control. ### Lab: Infinite money logic flaw This lab has a logic flaw in its purchasing workflow. Sign up to our newsletter! -> Use coupon SIGNUP30 at checkout! There is a gift card as a product. If we can combine discount coupon and gift card, we can get infinite money logic flaw. Verified - It works! -Every step, we can gain $3. We can create a macro to automize this process. For detailed information of creating the macro, you can see the solution of the lab. Sequence of request: * POST /cart * POST /cart/coupon * POST /cart/checkout * GET /cart/order-confirmation?order-confirmed=true * POST /gift-card We need to change gift card code to related request. Then we start a sniper attack with GET / request with 412 null payloads. When the attack stops, we will have enough money to buy the product.