Viewing Somebody Else's Basket
Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi. Within this lecture, we're going to solve another challenge which is the view another user's shopping basket. So, we are right now in the two star challenges. Okay. And this seems like a fun challenge and we're going to focus on that. Of course. Later on, we're going to focus on other challenges as well. So, far we have created an account and we saw the couple of this challenges before but we haven't actually seen this menu. When we logged in, there are a lot of menus over here, like for example, there's a Privacy Policy. And I believe this was the Privacy Policy that has been asked us for us to read. And as you can see, it says that you successfully solved the challenge.

So, as you can see, this is not even a challenge for us. This is just a web page that is asked for us to see. And if you come over here to first section, you will see that it's solved as well. Most probably asks us to do some kind of enumeration and see the things that we might be interested into, and what we are interested in to actually is this Basket over here. So, since this is an e-commerce website, there is a Basket and when we add or when we choose a product from the first page, it adds it to a Basket. So, if you just add it over here, it will be added to your Basket. Okay.

So, add a couple of products to your Basket and if you go to 'Your Basket', you will see the Apple Juice and Apple Pomace in Your Basket. And of course, in order to do that, you need to be logged in to your account. So, let me try to see the source over here with the Inspector code. Okay. If we come to this 'Debugger', we can see the main JavaScript code again one more time. And in the Inspector side, we can see the HTML codes going on over here. So, we have seen all of those things, but we didn't actually see the other tabs in here like in the Style Editor, we can see the CSS codes and we have seen the Debugger.

If we click over here to print the code, we can see the JavaScript code in a readable way. And in the Style Editor, we already see it in a readable way. So, in Performance, we don't have anything right now, but it has to do something with the site performance like request and response times. In the Network, we can see the GET requests, post requests, and maybe some of the responses as well but we can get this in the Burp Suite as well. So, we don't generally deal with the Network tab since we have Burp Suite. But in Storage, we have something that we may be interested into. We have seen Cookies before.

We have discussed what they do and how to leverage them if we want in the meta exploitable session but we haven't seen the Session Storage. So, as you might remember, websites keep the sessions. And if you come in into a website and if you leave it like five minutes later on, that five minutes is your session time and the period that you spend over here is called session. And of course, they keep track of these things and they may actually have some parameters over here regarding to your session. Like in this case, I believe we have two parameters which is a Key-Value pairing over there. First of all this bid. And there is a second one as well.

So, this may come in handy when you deal with something like this scenario over here. For example, in this case, we see there is a Key-Value pairing called bid. So we don't even know what a bid is but we can see its value. And maybe we can change the session parameters and maybe it can lead us to something else or somebody's basket in this case. So, I believe this bid is short for like buyer ID or basket ID. It has the value of six for me. Maybe it's a different value for you right now. So, it really doesn't matter as long as you can see this bid. If you cannot see it, make sure you refresh the page and come into this Basket thing one more time.

So, what I'm going to do? I'm going to change this value and see if that leads me somewhere. So, you can change any value over here to test if that works or not. So, it shouldn't work if it's like not misconfigured or something like that. But in this case, I'm going to make it something like this. Okay. Give their end of value like two or seven or one. Okay. And then see if something changes over here. And I believe after we change this thing, even though I try different values right now as you can see, nothing changes in the page, like we didn't get any 2, 3, 4, 5, 6. So, I'm just trying something over here if we can get something. Okay.

But it doesn't work for me as you can see. What I'm going to do? I'm going to change it to a number and like that. And as you can see, nothing works. Right after we change it maybe we have to refresh it as well so that we should be actually certain if there is a vulnerability over here or not. But just make sure you try it, something like this. Okay. Try it in a way that you tried like up to 20 maybe. If nothing works, of course, we're going to have to refresh it. So, that's the way it is actually. We're going to have to refresh it. Let me refresh this. I change the number and see if we get another Basket over here. As you can see, we get another Basket but we cannot see any products. But we solve the challenge.

So, most probably this is somebody else's but we don't see any value. So, let me go to 2 and try one more time if we have any Basket in the bid of two. Yea here you go. In 2, we have another product. So, we didn't actually include this Raspberry Juice to our Basket but it's showing up. So, we are inside of somebody else's basket. We can even increase the number over here. As you can see, once we increase it, the price increases as well. So, we can delete it or increase it or decrease it in a way that we want. So, this is not a proper session management. Okay. And if you find something like that, you can access somebody else's information which is not good for the website. Of course. This is a good bag bounty as well.

So, here you go. We're going to see a much more information regarding to basket I believe during this challenge, during this Juice Shop. As you can see, there are a couple of other fun things in the two stars as well, like getting rid of all 5-star customer feedbacks, logging it with the administrator's user account and some others here as well. So, we've got a lot of work to do in the two stars right now. So, what we're going to do? We're going to stop here and continue with the next lecture where we're going to solve all of these challenges together.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.