Infinite money logic flaw
This lab has a logic flaw in its purchasing workflow.
With Burp running, log in with
wiener:peter, and sign up for the newsletter to obtain a coupon code,
SIGNUP30. Notice that you can buy $10 gift cards and redeem them from the My account page.
Add a gift card to your basket and proceed to the checkout. Apply the coupon code to get a 30% discount. Complete the order and copy the gift card code to your clipboard.
Go to your account page and redeem the gift card. Observe that this entire process has added $3 to your store credit. To obtain the
$1234required to purchase a leather jacket,
412gift cards need to be redeemed. This process can be automated.
Study the proxy history and notice that the gift card is redeemed by supplying the code in the
gift-cardparameter of the
Go to Settings -> Project -> Sessions. In the Session handling rules panel, click Add. The Session handling rule editor dialog opens.
In the dialog, go to the Scope tab. Under URL Scope, select Include all URLs.
Go back to the Details tab. Under Rule actions, click Add -> Run a macro. Under Select macro, click Add again to open the Macro Recorder.
Select the following sequence of requests:
POST /cart POST /cart/coupon POST /cart/checkout GET /cart/order-confirmation?order-confirmed=true POST /gift-card
Then, click OK. The Macro Editor opens.
In the list of requests, select
GET /cart/order-confirmation?order-confirmed=true. Click Configure item. In the dialog that opens, click Add to create a custom parameter. Name the parameter
gift-cardand highlight the gift card code at the bottom of the response. Click OK twice to go back to the Macro Editor.
POST /gift-cardrequest and click Configure item again. In the Parameter handling section, use the drop-down menus to specify that the
gift-cardparameter should be derived from the prior response (response 4). Click OK.
In the Macro Editor, click Test macro. Look at the response to
GET /cart/order-confirmation?order-confirmation=trueand note the gift card code that was generated. Look at the
POST /gift-cardrequest. Make sure that the
gift-cardparameter matches and confirm that it received a
302response. Keep clicking OK until you get back to the main Burp window.
GET /my-accountrequest to Burp Intruder. Use the “Sniper” attack type and clear the default payload positions.
On the Payloads tab, select the payload type Null payloads. Under Payload options, choose to generate
Go to the Resource pool tab and add the attack to a resource pool with the Maximum concurrent requests set to
1. Start the attack.
When the attack finishes, you will have enough store credit to buy the jacket and solve the lab.
An attacker will need to log in; abuse the logic flaw to get enough credit; and buy a “Lightweight l33t leather jacket” with it.