Order Negative Amount
Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi. Within this lecture, we're going to try and solve another challenge in the tree star list. And as you can see my actually, my list has reset itself for some reason, even though I didn't reset the server. The challenges that we sold are not showing up at this point. But it really doesn't matter because we have, we know we know actually what kind of challenges that we have sold. So, it might happen in your server as well. It really doesn't matter. You don't have to gather points or something like that in the CTF. Just try to learn how to solve these challenges, it would be much more reliable in this case. So, here you go. We have a funny thing over here, it says place an order that makes you rich. So it has to be, it has to do something with the ordering process. So, we're going to see what it is. So, I'm going to come up over here to watch juice shop. So as you can see, we see the apple juice over there, I'm going to add this to my basket and it says that you can order only up to five items per basket. So, let's see if I have more than five items, yep. So in our tests, I believe we added a lot of things. So, let me try to delete all of this stuff.

So, let me come back and try one more time. If I add this to my basket, it will be added to my basket like that. Here you go. If I go to my basket, I can see it. If I delete it will be gone. Now, I'm going to do this. But again I'm going to do this with burp. So, to understand what's going on. If I add this to my basket, let's see what happens. I didn't get intercepted or something like that. I believe there is something going on funny in my web server. So, what I'm going to do, I'm going to turn this on and off one more time and try something like this. And here you go. Now, it got intercepted. But that's not the thing that I'm looking for. I'm looking for parameters, beget requests or post request with parameters. So, I'm going to forward this one until I see the request that I want. That's not the thing that I'm looking for either. So, there are a couple of cookies and stuff but not this one. I'm going to forward this. I believe that's it. So, we have the quantity. I believe there is something missing in this case because we don't see the product id as you might remember. We have seen the product id before but it's worth a shot.

So, I'm going to come over here. We only have one parameter, the quantity parameter. I'm going to make it 300 and see what kind of response do we get. As you can see, it says that you can order only up to five items of this product. So, it's working fine, even though we don't have the other parameters, we can just play along with this and see if there's some sort of deflect or some sort of a misconfiguration over here. Let's try something like this minus 10 or minus 1000. Minus 300. So, let's see if we can do a minus ordering. And as you can see it gets actually added. So, we managed to add a minus 300 apple juice in our basket. So, if we go to our basket, we don't see it right now. So, let me try to refresh this and see if it got added or something like that. No, we don't see it as you can see, we only see two items. I'm going to delete this and start from scratch because we didn't even see the product id. So, there was something wrong with the process. So, let me try it one more time and forward this and here we go. Right now we are getting it right as you can see, we have the product id, basket id, and quantity.

We didn't even have the basket id before. So, that's why it didn't get edit in my opinion. So, I'm going to try the same thing with these parameters right now. So, I'm gonna change this to minus 300 and forward it like this. I'm not even going to send it repeater because I know that the repeater will give me success because I've tried it. So, I'm going to turn this into except off and come over here to my basket and as you can see now I added the apple juice in the amount of minus 300. And we have a total price in negative amount, so like $600 but in minus. So, I'm going to check out as you can see there is already an address and payment methods in the administrator account. So, it's a good idea to do this with the administrator account. I'm going to choose one day delivery, I'm going to choose a credit card information from here. So, let me come over here to continue and here you go, that's where you place your order. So, my items is in the amount of minus and here you go. Now, it says that thank you for your purchase. But also we have successfully sold the challenge over here because right now, we don't own anything to the juice shop, juice shop owns, he owns back to us like in the amount of $600.

So, if you come back to scoreboard, if we just filter this out, as you can see improper input validation, we managed to solve this as well. So, as you might come across in a situation like this, make sure you check for the minus ordering in different products. So, maybe they're in place for some products but not in for so some other product groups make sure you change the amount and try something like this when you weapon testing. Now, we're going to stop here and continue with the next section.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.