1. Home
  2. Training Library
  3. Web Penetration Testing with Juice Shop

Changing Requests

Start course
Overview
Difficulty
Intermediate
Duration
2h 6m
Students
16
Description

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.

Transcript

Hi, within this lecture, we're going to continue solving challenges. So, I'm going to open my scoreboard, and we're going to find the one that would be fun. And I believe we have something. We have seen something in the previous lecture when we were browsing. So, let me try to find it as well, one more time. So, let me close this down. If we scroll down a little bit, we can see this. Put an additional product into another user's shopping basket. And in fact, we have seen another user's shopping basket before but we didn't add an additional product. We actually increased the amount of the current products in someone else's basket, and we managed to decrease it or delete it as well, but it's asking for adding an additional product. So, let's see how it's done.

First of all, if we add something to our basket, it will be added to our basket over here. And for some reason, it doesn't work, as you can see. We have been doing a lot of tests and stuff, so maybe we broke something. Let me log out from here. In fact, it's not good idea to do this in an administrator account. I believe we should do this in a regular user account so that it won't be cheating or something like that. So, go to the account and just log in with the previous user that you have created. So, I believe mine is atil@test.com and for the password I'm going to give 123456, but it doesn't work. So, maybe it was this @gmail.com. It doesn't work as well. So, let me try one more time to log in with this: test@test.com. Nothing seems to be working, so maybe we can just create that one. I'm going to give the same thing over here: atil@test.com, and for the password I'm going to go for 123456, 123456 and just give a random security question over here. And it says that email must be unique. So, it was definitely that but we got the password wrong. So, I believe it was 12345 because we were trying on the DRY challenge, as you might remember, Don't Repeat Yourself challenge. And here you go.

Now I'm logged in, and I can add something to my basket which is good. So, right now I'm in a regular user, not an administrator user. And I'm going to try and add this to another basket, and in order to do that, of course, I'm going to open my Burp Suite and turn the intercept on, and try to see what happens when I click on 'Add to Basket'. As you can see we get a request, but we don't have any kind of parameters over here. So, it's not what we are looking for, most probably. I'm going to forward this and here you go. Now we see some parameters like ProductId, BasketId, Quantity. So, unless you see that you have to go to Forward and the other requests as well. I'm going to send this to Repeater because we're going to test it a lot. So, in this case we have the BasketId and ProductId and Quantity. If we send this we will have the status of successful on the right-hand side because we did everything right.

So, if we try to change the BasketId, for example if you see 8 over here, just try to change it to 2, and if you send this, then it will give us an error. As you can see, we're getting an error, we cannot simply change the BasketId to add this to someone else's. So, there might be some sort of protection mechanism going on in there. So, it's not that easy.

So, what we can do, we can try to alternate the parameters. Maybe we can change the ProductId, maybe we can change the quantity and see what happens. I'm going to change this to 8 one more time. And as you can see, we get another error over here actually. But it's not the same error, not the BasketId error, so it should be working. So for example, if I change the ProductId, then it works. So, maybe it's doing something like a check to see if we don't add it twice by mistake. So, maybe we can't change the ProductIds later on. Or maybe we can just add a new parameter over here like we did before. And this time, I'm going to add the BasketId one more time. So, this is exactly the same parameter over here. Like, we have the BasketId. I'm not deleting anything, I'm just adding it additionally over here at the end but make sure you spell it right. It has to be exactly the same with upper-case I, for example, and if I send this it will give me success one more time. So, I don't know if it added this to the BasketId, 8 or 2. But in the response we see BasketId 2. So, it's actually taking this last parameter into consideration. It's not complaining us because we already have the real BasketId in the Request as well. So, if we go to scoreboard right now, let's see if we managed to solve it. Here you go, we managed to solve it and it says that Manipulate Basket.

So, we managed to put an additional product into another user's basket. And I believe there is a way to confirm this as well. So, if we go to our basket, we can see our basket, and if we go to Inspect Element like we did before, we know how to view another user's basket, shopping basket. Let's go to Session and change the BID over there to 2, and then refresh the page to see what happens. Here we go, now let's wait and see if we manage to add anything over here. So here you go, before we had the raspberry juice, if you remember the previous lecture, now we managed to add orange juice here as well. So, we confirmed that this is working. So, I'm going to change back to 8 because I don't want to break anything in here. But we managed to solve this challenge successfully as well. Now let's stop here and continue with the next one.

About the Author
Students
951
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.