Write-up: Infinite money logic flaw @ PortSwigger Academy
This write-up for the lab Infinite money logic flaw is part of my walkthrough series for PortSwigger’s Web Security Academy.
Learning path: Server-side topics → Business logic vulnerabilities
Python script: script.py
Lab description
Steps
As usual, the first step is to analyze the functionality of the lab application. In this lab, it is a shop website well-known from other labs. My goal is to purchase a jacket that I already have a few thousand of. I start by browsing the page a bit and logging in with my known credentials.
The shop itself looks very familiar, but my account page has a new feature — I can use gift cards. Additionally, the lab provides access to my emails.
The gift cards can be purchased for $10.
To find out how this works, simply buy one:
At the same time, I received an email, also containing the gift card code:
On the ‘My account’ website I can apply the gift card to bring my store credit back up to $100. Unfortunately, I can not apply the gift card a second time. The gift card code can also not be used as a coupon on the checkout page.
Nothing obviously fishy comes up upon checking the requests in Burp.
Subscribing to newsletter
The other option for interacting with the page is the newsletter. I subscribe to find out if there is any interesting reward for it:
It is a 30% discount. This makes me think… The gift card states $10 flat rate value, can I apply the 30% on this? (after all, all shops I know in real life exclude gift cards explicitly from discounts)
At least it can be applied, so I buy it. After the code is generated and applied to my account, the store credit total shows $3 higher than before:
So for $7 I can purchase a $10 gift card that redeems for face value.
Purchasing gift cards
For the $103 I have in store credit, I can purchase 14 gift cards, generating a $3 profit each and a total of $42
To obtain the $1234 required to purchase the leather jacket, I need to redeem 412 gift cards. This is nothing I want to do manually, even though it could be a little less (< 300) if I apply the 30% coupon for the jacket itself as well.
Create a macro
The first thing is selecting the proper requests for a macro.
The POST to /cart does not contain a csrf-token, but the one to /cart/coupon does. So I modify the first request to /cart to redirect to CART so that the csrf-token for the next request can be extracted.
On the first test of the macro, redemption of the gift card failed as I forgot to change the gift card code to be taken from the previous request
So manually redeeming the code on the website to obtain my $3, then changing the macro to obtain the value from the previous request:
And the request to redeem the gift card needs to be updated to actually use that value:
Now retest again
Automate it
Now the macro test is successful, the parameter is obtained automatically and the gift card is applied. So I create a session rule that runs this macro for every request:
and send a plain request to /my-account to Burp Intruder. I clear all payload positions and add one for null payloads. During testing, I obtained already some of the 412 gift cards required, but use that number nonetheless as the number of payloads generated.
In addition, the requests must be made in order, so I use a resource pool with only a single concurrent request:
- Attack type: Sniper
- Payload: Null payload, 412 times
While the attack is running, refreshing of the account page in the browser shows a steady increase in store credit. So let it run for a while…
After it is finished, the cart looks much nicer for me and I can order. And I have no idea why I did not apply the discount code here, would have saved quite a number of calls.
At the same moment, the lab updates to
