Introduction
This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user
carlos.
Solution
1. Goal
Change check stock url to access admin interface and delete user named carlos.
2. Observe
2.1. Observe the stock feature
Open the lab homepage, we will se the list of products, but we didn’t see the feature for check stock.
Try to open product detail page by click View Details button. Now the product detail page is opened with the url like /product?productId=<PRODUCT-ID>.
and we will see the button Check stock in the bottom left after product description.
2.2. Inspect the check stock request in Burp
Click the button Check stock from UI and find the request in Burp Proxy HTTP history.
in the line 20, notice that the stockApi is called to http://host:port/product/stock/check?productId=1&storeId=1 and returned success with value 451 in response body.
Now try to change the path to admin interface , send to Repeater, change the url and hit send.
After we change to http//localhost/admin, the admin page html is returned in the response body.
2.3. Now, we know about
- Button
Check stockin product detail page able to trigger check stock to back-end system in specific back-end system. StockAPIurl able to change tolocalhost/adminand will return success with html response.
3. Delete the user Carlos
Based on that we already know from previous steps, now we have HTML response, we will try to take a look the response body.
After read the returned html code, we notice that in line 64 any link to delete user carlos.
If we copy the link and open in the browser it returned error permission, it indicate that we need to logged in first in admin interface.
But if we try to change the stockApi to this url to this URL and hit Send.
It will response success and the user carlos is successfully delete.
Thanks for reading
