Access the lab, add the domain to Burp’s Target scope and check Include subdomains. View / route source page and inspect the page, then request all embedded links via Burp proxy using the scripts below.
frombs4importBeautifulSoupfromurllib.parseimporturljoinimportrequestsimporturllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Specify Variablesbase_url="https://0a1f00410450ba6680aa8a200085007a.web-security-academy.net"proxies={'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}# Parse Base URLcontent=BeautifulSoup(requests.get(base_url).text,'html.parser')# Find and Request all href resourceforlinkincontent.find_all('a',href=True):full_url=urljoin(base_url,link['href'])response=requests.get(full_url,proxies=proxies,verify=False)print(f"{response.status_code}{response.url}")# Find and Request all src resourceforimgincontent.find_all('img',src=True):full_url=urljoin(base_url,img['src'])response=requests.get(full_url,proxies=proxies,verify=False)print(f"{response.status_code}{response.url}")
Exploration
Inspect Burp’s Target Site map to find /cart resource path which the bash script missed but the python script revealed. Stacking BurpSuite and the Browser with FoxyProxy extension for Burp turned on, perform a user flow for purchasing an item after logging in with the provided user credential wiener:peter.
Exploitation
The /login when requested with valid credentials makes a POST request with csrf, username and password parameters. Observe a POST request to /cart with productId,redir, quantity, and price parameters. When the cart is viewed a GET request is made to /cart which returns an ensuing page with a coupon feature that has a csrf input tag and a form tag that makes a POST request to /cart/checkout to place an order for the item. Send these requests to Burp Repeater, Change the price and sequentially resend these requests. This exploit can be automated with the script below