PortSwigger's "High-level logic vulnerability" Walkthrough
This post is a walkthrough for the “high-level logic vulnerability” lab from PortSwigger Academy. For this walkthrough, you’ll need to have Burp Suite set up, as well as a Portswigger Academy account.
Log in to your Academy account and then view the lab at https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-high-level
. This is accessible from the “all labs” view or from the Business Logic Flaws page.
Challenge Information
Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/
.
This lab requires us to buy a “l33t” jacket. I had a hard time finding a definition for “high-level logic vulnerability” anywhere but I think it means an architectural flaw vs a single-point failure.
If we open up the site, it looks like this:
If we login and then try to buy the “l33t” jacket:
We’re unable to, because we only have $100 in credits.
If we look at the request in Burp Suite, there’s a redirect value:
I tried buying a cheaper item to see if I could find another valid redirect value that would let us bypass the check:
Unfortunately this didn’t work out. None of the other requests have anything interesting that we can control, except the request that corresponds to removing the “l33t” jacket from our cart:
We can send the request to the Burp Suite repeater, and then modify the negative value:
This will cause us to end up with a negative quantity of coats and a huge negative value for our total:
But if we try to Place order
with these values, we get an error:
Lab Solution
Negative values of a product are fine, but negative dollar amounts for the total value are not fine.
What if we have a negative amount of one product (and negative dollar amount resulting from that), plus the $1337.00 cost of the “l33t” jacket, as long as it equals a positive value, under $100?
Add a single “l33t” jacket to your cart, then add another item, such as “Giant Pillow Thing”. Then remove that item (the point of this is to get a Burp Suite request that we can modify).
Then, in Burp Suite, modify the request to be a negative quantity and send it, so that you end up with a negative number of the non-jacket item:
Adjust this until you get a total amount that is less than your store credit amount:
Then Place Order
, and the lab is complete!
This was possible because the application allowed negative numbers of individual products, and only checked the overall result.