hacking, owasp, web application security

The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp

thefluffy007

Happy hacking!

Today’s post is #3 in a series of solving the BodgeIt Store.

If you want to check post #2, click HERE.

In today’s challenge we will make the store owe us money.

Before continuing on, you will need an interception proxy.

Two of the most popular interception proxies are ZAP and Burp.

I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.

After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.

Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)

When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.

burp_settings

Going to your browser, go to Options.

In Chrome, click the three dots, and select Settings

You should see the following screen:

chrome_settings

In the search settings type in “proxy” which will show the following:

chrome_proxy_settings

Clicking on the last option – Open proxy setting we see:

internet_properties_1

Clicking on the Connections tab, we see:

internet_properties_2

Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.

internet_LAN_properties

To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.

Going back to Burp, make sure that the intercept is on –  see screenshot:burp_intercept

Refreshing the BodgeIt page, we see:

burp_bodgeit

Yay! our traffic is being trapped properly through Burp.

Click Forward until the Raw tab is blank, and turn the intercept off.  Click the intercept is on box once and it will turn off the interception.

OK… now let’s earn some $$$!!!

Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:

Doodah_1

I am going to click on the most expensive item which in this case is Doo dah day, and I see:

Doodah_2

OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.

After the interception is on, click on the basket button. I see:

burp_price

Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:

burp_updated_price

Going back to BodgeIt…

We have successfully made the store owe us money!!!

burp_updated_price_final

Going back to the scoreboard…

bodgeit_scoring_4

we see this challenge is now complete (green)!

Published by thefluffy007

A hacker's thoughts on hacking ALL THE THINGS!

1 thought on “The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp”

  1. Pingback: The BodgeIT Store Series #4, Find Diagnostic Data – #bodgeit #infosec #pentest #appsec #webapp | passionforpentesting

Leave a Reply