實驗目標

To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

官方WP

1. In Burp's browser, log in to the application using the credentials wiener:peter.

2. Click on the Lightweight "l33t" Leather Jacket product and add it to your basket.

3. Go to your basket and click Place order. Notice that you don't have enough credit for the purchase.

4. In Proxy > HTTP history, notice both the GET and POST API requests for /api/checkout.

5. Notice that the response to the GET request contains the same JSON structure as the POST request. Observe that the JSON structure in the GET response includes a chosen_discount parameter, which is not present in the POST request.

6. Right-click the POST /api/checkout request and select Send to Repeater.

7. In Repeater, add the chosen_discount parameter to the request. The JSON should look like the following:

   {"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","quantity":1}]
   }

8. Send the request. Notice that adding the chosen_discount parameter doesn't cause an error.

9. Change the chosen_discount value to the string "x", then send the request. Observe that this results in an error message as the parameter value isn't a number. This may indicate that the user input is being processed.

10. Change the chosen_discount percentage to 100, then send the request to solve the lab.

---

實驗步驟

• 進入實驗室首頁

• 點擊右上角的`My account`進入登錄頁面

• 使用實驗室提供的憑據成功登錄?

• 回到商品展示頁找到目標商品

• 將該商品添加進購物車中

在購物車頁面中進行刷新可見一接口

• 使用OPTIONS方式向該接口發送請求，查看該接口允許接收什么類型的請求

由響應頭可見，該接口僅允許接收`GET`、`POST`方式請求

• 使用GET方式向該接口發送請求

• 將請求方式修改為POST
• 將發送GET請求時響應體復制到POST請求體中
• 將折扣從0修改為100

• 發包后成功將商品價格修改為0