Name: Christmas Special
Description: Order the Christmas special offer of 2014.
Difficulty: 4 star
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
Yet again the database dump I performed during the Database Schema challenge pays dividends. While the expanded description for this challenge makes it clear that this is intended to be a much more difficult task, being able to simply search the product table for the word “Christmas” means that it’s basically a 3 star challenge.
Once I found the product ID number from the database, I simply used Burp Suite and FoxyProxy to solve this. I merely logged into a user account, added a random product to that user’s basket, intercepted that packet, and updated the “ProductId” field to match the product ID number of the 2014 Christmas Super Surprise Box. With that done, I sent off the packet and crossed this challenge off the list.
Prevention and Mitigation Strategies: