Lab 216 — ShelfWave — IDOR Price Manipulation in Checkout

hackadvisor

Task: ShelfWave checkout lets the browser submit product IDs, quantities, and prices for cart items. Solution: add the expensive Enterprise Vault Access product, then POST checkout JSON with its price changed to 0.01.

client_side_validation idor broken_access_control price_manipulation ecommerce

idor_exploitationparameter_tamperingcheckout_price_manipulation

$ ls tags/ techniques/

client_side_validation idor broken_access_control price_manipulation ecommerce

idor_exploitationparameter_tamperingcheckout_price_manipulation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 193 — ShopNova — Price Manipulation in Checkout API— hackadvisor
[web][Pro]Lab 61 — OrderNova — Negative Quantity Price Manipulation— hackadvisor
[web][Pro]Lab 14 — SoundMart — Race Condition in Coupon Redemption— hackadvisor
[web][Pro]CartBlitz — Race Condition in Promo Code Redemption— hackadvisor
[web][Pro]CartForge— hackadvisor