PortswiggerLab：Exploiting a mass assignment vulnerability

实验目标

To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter.

官方WP

1. In Burp's browser, log in to the application using the credentials wiener:peter.

2. Click on the Lightweight "l33t" Leather Jacket product and add it to your basket.

3. Go to your basket and click Place order. Notice that you don't have enough credit for the purchase.

4. In Proxy > HTTP history, notice both the GET and POST API requests for /api/checkout.

5. Notice that the response to the GET request contains the same JSON structure as the POST request. Observe that the JSON structure in the GET response includes a chosen_discount parameter, which is not present in the POST request.

6. Right-click the POST /api/checkout request and select Send to Repeater.

7. In Repeater, add the chosen_discount parameter to the request. The JSON should look like the following:

   {
       "chosen_discount":{
           "percentage":0
       },
       "chosen_products":[
           {
               "product_id":"1",
               "quantity":1
           }
       ]
   }

8. Send the request. Notice that adding the chosen_discount parameter doesn't cause an error.

9. Change the chosen_discount value to the string "x", then send the request. Observe that this results in an error message as the parameter value isn't a number. This may indicate that the user input is being processed.

10. Change the chosen_discount percentage to 100, then send the request to solve the lab.

---

实验步骤

• 进入实验室首页

• 点击右上角的`My account`进入登录页面

• 使用实验室提供的凭据成功登录 

• 回到商品展示页找到目标商品

• 将该商品添加进购物车中

在购物车页面中进行刷新可见一接口

• 使用OPTIONS方式向该接口发送请求，查看该接口允许接收什么类型的请求

由响应头可见，该接口仅允许接收`GET`、`POST`方式请求

• 使用GET方式向该接口发送请求

• 将请求方式修改为POST
• 将发送GET请求时响应体复制到POST请求体中
• 将折扣从0修改为100

• 发包后成功将商品价格修改为0