⚗️Lab: Exploiting a mass assignment vulnerability

To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

Required knowledge

To solve this lab, you'll need to know:

  • What mass assignment is.

  • Why mass assignment may result in hidden parameters.

  • How to identify hidden parameters.

  • How to exploit mass assignment vulnerabilities.

These points are covered in our API Testing Academy topic.


SOLUTIONS

METHOD ONE

  • Open Burp Suite

  • Login using username as wiener and password as peter

  • View the product to buy

  • Add it to the cart

  • Send the requests to the repeater

  • In the repeater send the GET /api/checkout request and view the output

  • Copy the chosen_discount parameter

  • In the repeater add the chosen_discount parameter to POST /api/checkout and modify the as "parameter": 100

  • Send the request

  • We bought the product for free.


METHOD TWO

  1. In Burp's browser, log in to the application using the credentials wiener:peter.

  2. Click on the Lightweight "l33t" Leather Jacket product and add it to your basket.

  3. Go to your basket and click Place order. Notice that you don't have enough credit for the purchase.

  4. In Proxy > HTTP history, notice both the GET and POST API requests for /api/checkout.

  5. Notice that the response to the GET request contains the same JSON structure as the POST request. Observe that the JSON structure in the GET response includes a chosen_discount parameter, which is not present in the POST request.

  6. Right-click the POST /api/checkout request and select Send to Repeater.

  7. In Repeater, add the chosen_discount parameter to the request. The JSON should look like the following:

    { "chosen_discount":{ "percentage":0 }, "chosen_products":[ { "product_id":"1", "quantity":1 } ] }

  8. Send the request. Notice that adding the chosen_discount parameter doesn't cause an error.

  9. Change the chosen_discount value to the string "x", then send the request. Observe that this results in an error message as the parameter value isn't a number. This may indicate that the user input is being processed.

  10. Change the chosen_discount percentage to 100, then send the request to solve the lab.

Last updated