3 min read appsec

PortSwigger's "High-level logic vulnerability" Walkthrough

This post is a walkthrough for the “high-level logic vulnerability” lab from PortSwigger Academy. For this walkthrough, you’ll need to have Burp Suite set up, as well as a Portswigger Academy account.

Log in to your Academy account and then view the lab at https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level. This is accessible from the “all labs” view or from the Business Logic Flaws page.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

This lab requires us to buy a “l33t” jacket. I had a hard time finding a definition for “high-level logic vulnerability” anywhere but I think it means an architectural flaw vs a single-point failure.

If we open up the site, it looks like this:

If we login and then try to buy the “l33t” jacket:

We’re unable to, because we only have $100 in credits.

If we look at the request in Burp Suite, there’s a redirect value:

I tried buying a cheaper item to see if I could find another valid redirect value that would let us bypass the check:

Unfortunately this didn’t work out. None of the other requests have anything interesting that we can control, except the request that corresponds to removing the “l33t” jacket from our cart:

We can send the request to the Burp Suite repeater, and then modify the negative value:

This will cause us to end up with a negative quantity of coats and a huge negative value for our total:

But if we try to Place order with these values, we get an error:

Lab Solution

Negative values of a product are fine, but negative dollar amounts for the total value are not fine.

What if we have a negative amount of one product (and negative dollar amount resulting from that), plus the $1337.00 cost of the “l33t” jacket, as long as it equals a positive value, under $100?

Add a single “l33t” jacket to your cart, then add another item, such as “Giant Pillow Thing”. Then remove that item (the point of this is to get a Burp Suite request that we can modify).

Then, in Burp Suite, modify the request to be a negative quantity and send it, so that you end up with a negative number of the non-jacket item:

Adjust this until you get a total amount that is less than your store credit amount:

Then Place Order, and the lab is complete!

This was possible because the application allowed negative numbers of individual products, and only checked the overall result.