Name: Payback Time
Description: Place an order that makes you rich.
Difficulty: 3 star
Category: Improper Input Validation
Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html
In this challenge, the expanded description isn’t of much use. Instead of taking suggestions from the description as I normally would, I opted to look at the packets being sent to the server during the purchase process. First I added the most expensive item in the store to my basket and checked what information was being passed.
The “quantity” field stood out like a sore thumb, so I decided to see what would happen if, instead of 1, I added -111 items to my basket.
Well that looks promising.
At this point it was fairly clear that pressing “Pay -xxx.xx” would be the easiest way to transfer that money into my account. This method is much easier than, say, adding that money onto a credit card.
After entering my user’s name and address, I placed the order and completed the challenge.
Prevention and mitigation strategies:
Lessons Learned and Things Worth Mentioning:
- There is no reason to assume that a field which should be a positive value is enforced as such on the server side. While I couldn’t add -1 items from the user interface, using Burp Suite it was a trivial task to complete. One which was very lucrative in Juice Shop currency, which unfortunately has no exchange rate to USD.