Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Infinite money logic flaw - Random list of gift card codes makes lab unsolvable

Hannes | Last updated: Mar 14, 2023 11:11AM UTC

Hi Portswigger team, it seems there is a bug in the "Infinite money logic flaw" lab, which makes the lab unsolvable (at least for me). I found the vulnerablity in this lab and I also totally get the presented walktrough solution (including macro creation, intruder, etc.). Unfortunately, the redeeming of a new gift card code via macro is not working for me because of the following reason: Whenever a new gift card is bought (POST /cart/checkout), there is a redirect to /cart/order-confirmation?order-confirmed=true. This page is showing a list of all bought gift cards, under "You have bought the following gift cards:". The problem is, that this list of gift cards is random and not sorted (e.g., oldest to newest). A newly bought gift card is not specially marked and shown somewhere in between the list, not at the beginning and not at the end. This makes it absolutely impossible for the macro to retrieve the code of the newest gift card and therefore the gift card code fails. I'm happy for any help. Thank you! Best regards, Hannes

Ben, PortSwigger Agent | Last updated: Mar 14, 2023 01:51PM UTC

Hi Hannes, We are aware that there is an issue with this particular lab and the Web Academy team are currently investigating. We will update this forum thread when we have some further news to share.

Hannes | Last updated: Mar 14, 2023 02:12PM UTC

Hi Ben, thank you for the fast reply and letting me know!

Ben, PortSwigger Agent | Last updated: Mar 17, 2023 04:34PM UTC

Hi Hannes, We just wanted to let you know that this lab should now be solvable again if you are following along with the written solution.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.