WebGoat Client Side lessons

InfoSec Write-ups – Medium–

Bypass front-end restrictions 2

Bypass front-end restrictions lesson 2

For this lesson we have to send a request bypassing the restrictions on the page, let’s go ahead and fill up and submit the form

Request on Burp History

Right, now that we have the request, let’s change it so it contains “non-allowed” data

Altered request

Here we have the same request on Burp Repeater, with a few modifications so that the values are of the “allowed” range, send this tampered request and the lesson is completed

Bypass front-end restrictions 3

Bypass front-end restrictions lesson 3

For this lesson to be completed, you need to have a clear understanding of the regular expressions written on every field description

IMHO good places to start understanding regular expressions are

And then start experimenting on filtering text and lines on

All of this learning and exercises takes a very long time, but starting to read some of there will help you with this WebGoat lesson

So let’s go ahead and submit the form

Request on Burp History

Of course the solution is not correct, so let’s send this request on Burp Repeater

Tampered request on Burp Repeater

Change the field values so that contain non-allowed combinations and send the request, the lesson is complete

Client Side filtering 2

Client Side filtering lesson 2

This lesson request is to find Neville Bartholomew’s salary, which is not present in the drop-down list, so let’s see what’s in this page

Neville Bartholomew salary

By using your browser dev tool, check for hidden elements, there is a “hiddenEmployeeRecords” table with the requested information

Input the corresponding employee salary value in the text field and the lesson is completed

Client Side filtering 3

Client Side filtering lesson 3

The objective here is to buy the phone without paying, there is a clear hint on knowing the “code”, and in the form there is a “checkout code” field

Let’s press “Buy”

“Buy” request on Burp History

Get the request on Burp, there is a “checkoutCode” parameter sent as POST data

Checkout code HTML

In the page HTML, near the checkout code input, there are some checkout codes left there, try them out but none of them solve the lesson as they do not allow 100% discount

hidden “discount” input

At the beginning of the form, there is a hidden “discount” input

Browser dev tool Debugger search

By searching for “discount” in dev tool -> Debugger, some lines of code are found

JS function on “checkoutCode” blur

The found code has a few JS functions, one of them runs every “blur” of the checkoutCode text input

<script> tag reference for the shown JS function

This source is located in /WebGoat/lesson_js/clientSideFilteringFree.js and it is loaded as inline JS file a few lines before the form begins

Buying with one of the codes found in the HTML source

So, when one of the coupons found in the HTML is inputted, as soon as the focus goes away from the text field, the discount is applied

“checkoutCode on blur” request on Burp History

As soon as the checkout code has a “on blur” event, nn Burp we find a request for /WebGoat/clientSideFiltering/challenge-store/coupons/<coupon_code> with the corresponding discount response

Invalid checkout code

Let’s try an invalid coupon and change the focus

Invalid checkout code on Burp History

The request is for an invalid coupon and the response has no discount

No checkout code and then blur event

So we can try to remove the coupon, change the focus and see what happens on Burp

List of all coupons

The response now has a list of all valid coupons

Same response directly on browser

Same happens if we put the /coupons endpoint directly in our browser address bar

So by entering “get_it_for_free” on the lesson page, we get 100% discount and the lesson is complete

HTML tampering 2

HTML tampering lesson 2

You can solve this by changing the cost on the HTML from your browser dev tools, but instead I used Burp Suite

Press “Checkout”

Request on Burp History

Check the request on Burp, it has a “Total” parameter ready to be tampered with

Request on Burp Repeater

Get the request on Burp Repeater, change the “Total” value, send the request and the lesson is completed

This concludes WebGoat Client Side lessons

This post is a bit longer than the usual as I thought to put them all together as they are very similar

I hope you liked it.

PVXs — https://twitter.com/pivixih

WebGoat Client Side lessons was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s