Business Logic - [PortSwigger]
![Cover Image for Business Logic - [PortSwigger]](/assets/images/blog/PortSwigger/business_logic_banner.png)
Table of Contents
Introduction
In this post there is a compilation of every apprentice and practitioner lab related to the *Business Logic topic from PortSwigger Academy.
Excessive trust in client-side controls [Apprentice]
A POST request is made to the endpoint /cart when adding an object to the cart.
POST /cart HTTP/1.1
[...]
productId=1&redir=PRODUCT&quantity=1&price=133700
Because the price is sent to the server, you can change it to 1 (0 doesn't work), and get a jacket for 0.01$.
2FA broken logic [Practitioner]
Explained in the Authentication post.
High-level logic vulnerability [Apprentice]
On one side, the server checks if the total price exceeds 0. And for the other side, you can submit negative quantities.
So, buy 1 Leet jacket and then buy another item, but this time, add a negative quantity.
For example, 1 Leet jacket + (-14) Cheshire Cat Grin = 18.20.
Low-level logic flaw [Practitioner]
If the number is too big, the number becomes negative, so we can play with it to keep adding jackets until we get around -1000. Then, we can get another item to put the price between 0 and 100.
Note: If you are using burp, it makes an extra request, so if you need to submit 324 requests of 99 items, select "Null payload" and "Generate 323 payloads".
32076 = 324\*99\*1337=>-$64060.96
-$64060.96 + 1337*47 = -$1221.96 === 32123 * 1337 = -$1221.96
-$1221.96 + $89.58 * 14 = $32.16
Inconsistent handling of exceptional input [Practitioner]
The objective is to create an account with an email like "<WHATEVER>@dontwannacry.com". Also, the attacker email will receive emails from addresses such as "<WHATEVER>@dontwannacry.com.exploit-<LAB_DOMAIN>.web-security-academy.net". So, maybe there is some kind of string limit.
To check it, you can create a pattern with this web page with a length of 500. Then, change the "<WHATEVER>" by the generated pattern.
It will look like this:
<PATTERN>@dontwannacry.com.exploit-<LAB_DOMAIN>.web-security-academy.netOnce registered and logged in, your email will look like this.
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Adding the last eight digits of the email to the "Find overflow offset", we can obtain that the email string is composed of 255 characters (247 + 8 of the pattern ). Hence, to obtain a domain that ends with "@dontwannacry.com" (17 characters), the username must contain 238 characters.
The payload will look like this.
kali@kali:~$ python -c "print('a'*238+'@dontwannacry.com.exploit-<LAB_DOMAIN>.web-security-academy.net')"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@dontwannacry.com.exploit-0abf004b046e44f4c0a31f8b01b900f2.web-security-academy.net
After registering and logging in to your account, your mail address should look like this.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@dontwannacry.comFinally, enumerating directories, there is an /admin folder where you can delete the user Carlos.
Inconsistent security controls [Apprentice]
Create an account using the exploit server email and log in. Then, go to your account and update your email to something like "<WHATEVER>@@dontwannacry.com".
Finally, go to /admin and delete the user Carlos.
Weak isolation on dual-use endpoint [Practitioner]
After logging into the application, we can update our account information.
If we intercept the request, change the username to "administrator" and remove the current-password parameter, we will change the administrator's password.
POST /my-account/change-password HTTP/1.1
[...]
csrf=<CSRF&username=administrator&new-password-1=1234&new-password-2=1234
Now, we can log in as the administrator with the new password, access the /admin panel and remove the user Carlos.
Password reset broken logic [Apprentice]
Visit my Authentication post.
Insufficient workflow validation [Practitioner]
If you buy an item between 0 and 100$, after the POST /cart/checkout request, there is a new GET request with this URL /cart/order-confirmation?order-confirmed=true.
If you intercept the request, go to your shopping cart, change the item to the jacket, and then forward the request, the jacket will be bought instead of the former item.
Authentication bypass via flawed state machine [Practitioner]
During the logging process, before selecting the role, there is a GET request to /role-selector. Drop the request and access to /admin getting access to the admin panel and remove the user Carlos.
Flawed enforcement of business rules [Apprentice]
In the header, there is the coupon "NEWCUST5", but also in the footer of the home page, there is a signup form. If you submit it, you will receive the code "SIGNUP30".
These codes can not be submitted repeatedly, but you can bypass this flaw by alternating the codes like "NEWCUST5", "SIGNUP30", "NEWCUST5"... Doing several times, you will be able to buy the jacket for free.
Infinite money logic flaw [Practitioner]
As before, if we signup for the newsletter, we receive a "SIGNUP30" Coupon. Also, there is a 10$ GIFT card that we can buy as many times as we want. So, doing the math, if we buy a 10$ gift card with a 30% discount and then submit the gift code to our account, we will have earnt 3$.
Doing these processes several times, around 415 times, we will obtain enough money to buy a jacket. For that, use Burp's session handler and the macro.