3 min read appsec

PortSwigger's "Excessive trust in client-side controls" Walkthrough

This post is a walkthrough for the “excessive trust in client-side controls” lab from PortSwigger Academy. For this walkthrough, you’ll need to have Burp Suite set up, as well as a Portswigger Academy account.

Log in to your Academy account and then view the lab at https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls. This is accessible from the “all labs” view or from the Business Logic Flaws page.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

This lab requires us to buy a “l33t” jacket.

If we open up the site, it looks like this:

The jacket we need to buy is the first item on the page, at /product?productId=1.


If we try to add the jacket and buy it, we’ll get a “not logged in error”, so go ahead and log in with provided credentials wiener:peter.

Add the product to your cart. Then got to the cart page:

If you try to Place order you will get an error:

This is because we have $100 in store credits, and are trying to buy something worth $1337. Trying to modify the price on the cart page is not useful, as this information has already been sent from the server and we are not affecting any backend information.

We also don’t have control over how much store credit we have. The only interaction that we were able to make happen, prior to the cart page, is the “add product to cart” step.

Lab Solution

Remove any existing cart items. Then, go to Burp Suite’s Proxy > HTTP history page and find the add-product request. This is a POST request to /cart.

If you cannot find this request, go to your browser and re-add the item to your cart.

We can see at the bottom that we’re transmitting price information from the client to the server. This is the “excessive trust”. We, as a client, are telling the server how much the product costs.

Modify the price value to something less than the $100.00 in store credit:

Then click send. Now go back to your browser, and click Place Order.

After you’ve placed the order, you should see that the lab is solved: