Question

Lab 11: Attacking Application Logic

Introduction

In this lab, you will find a way to reset the total cart value in an e-commerce pet shop. This lab shows the importance of the secure implementation of critical components in web services. In this lab, you will attack the false implementation of payment service. Another purpose of this lab is to introduce the hackerone.com environment to you. The particular attack you will practice in this lab is not a true application logic attack, whereas the one demonstrated on https://www.youtube.com/watch?v=1oFpTNsPu_w is a true application (business) logic attack.

Background

HackerOne is a bug bounty platform that connects businesses with penetration testers and  cybersecurity researchers. It has a collection of resources, including videos and hands-on activities; Hacker101.com is a free class for web security for both beginners and seasoned hackers as well. “Capture the Flag” is another platform on which you can practice your web hacking skills. In this lab, you will solve one of the challenges in the Capture the Flag platform of Hackerone.

Instructions

1. Sign up to hackerone.com

2. Go to Hacker Dashboard

3. Click on the Learn how to hack

4. Click on the Capture the Flag

5. Click on the get started now link

6. Click on Log in

7. Find the Petshop Pro challenge in the list and click on Go

After step-7, you will be on a simulated e-commerce website. Your purpose is to check out some kittens and puppies, but at the same time, to change the amount to 0 dollars. Once you do that, you will find a Flag.

A flag is similar to following: ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$

You can click Hints provided by hackerone.com to get some clues. These hints will not affect your grades.

You can also contact your Professor to get extra hints.

Questions

1. Submit the screenshots of all steps that take you to the solution.

2. Summarize what you’ve done in this lab as if you are explaining it to a non-technical person.