Burp Suite User Forum

Login to post

Lab: Infinite money logic flaw

Cyber | Last updated: Mar 15, 2023 09:14AM UTC

Hi, Although I am using maximum 1 concurrent request in Sniper attack and "POST /cart" request parameters are "productId=2&redir=PRODUCT&quantity=1" as a response to the "GET /cart/order-confirmation?order-confirmed=true" request I get a list with multiple codes (some of them are faulty). This causes "POST /gift-card" to get the wrong parameter and eventually not increase the store credit. Regards.

Ben, PortSwigger Agent | Last updated: Mar 15, 2023 04:19PM UTC

Hi, To confirm, there is currently an issue with this particular lab (as you have noted, the page now displays a list of gift card codes, which are not in the correct order, thus breaking the macro suggested in the solution). The Web Academy development team are currently working on resolving this issue - we will update this forum thread when we have some further news to share.

Ben, PortSwigger Agent | Last updated: Mar 17, 2023 04:12PM UTC

Hi, We just wanted to confirm that you should now be able to solve this lab again using the written solution.

You need to Log in to post a reply. Or register here, for free.