InfoSec Write-ups – Medium–
Bypass front-end restrictions 2
For this lesson we have to send a request bypassing the restrictions on the page, let’s go ahead and fill up and submit the form
Right, now that we have the request, let’s change it so it contains “non-allowed” data
Here we have the same request on Burp Repeater, with a few modifications so that the values are of the “allowed” range, send this tampered request and the lesson is completed
Bypass front-end restrictions 3
For this lesson to be completed, you need to have a clear understanding of the regular expressions written on every field description
IMHO good places to start understanding regular expressions are
- Regex Tutorial-From Regex 101 to Advanced Regex
- ziishaned/learn-regex
- RegexOne – Learn Regular Expressions – Lesson 1: An Introduction, and the ABCs
And then start experimenting on filtering text and lines on
All of this learning and exercises takes a very long time, but starting to read some of there will help you with this WebGoat lesson
So let’s go ahead and submit the form
Of course the solution is not correct, so let’s send this request on Burp Repeater
Change the field values so that contain non-allowed combinations and send the request, the lesson is complete
Client Side filtering 2
This lesson request is to find Neville Bartholomew’s salary, which is not present in the drop-down list, so let’s see what’s in this page
By using your browser dev tool, check for hidden elements, there is a “hiddenEmployeeRecords” table with the requested information
Input the corresponding employee salary value in the text field and the lesson is completed
Client Side filtering 3
The objective here is to buy the phone without paying, there is a clear hint on knowing the “code”, and in the form there is a “checkout code” field
Let’s press “Buy”
Get the request on Burp, there is a “checkoutCode” parameter sent as POST data
In the page HTML, near the checkout code input, there are some checkout codes left there, try them out but none of them solve the lesson as they do not allow 100% discount
At the beginning of the form, there is a hidden “discount” input
By searching for “discount” in dev tool -> Debugger, some lines of code are found
The found code has a few JS functions, one of them runs every “blur” of the checkoutCode text input
This source is located in /WebGoat/lesson_js/clientSideFilteringFree.js and it is loaded as inline JS file a few lines before the form begins
So, when one of the coupons found in the HTML is inputted, as soon as the focus goes away from the text field, the discount is applied
As soon as the checkout code has a “on blur” event, nn Burp we find a request for /WebGoat/clientSideFiltering/challenge-store/coupons/<coupon_code> with the corresponding discount response
Let’s try an invalid coupon and change the focus
The request is for an invalid coupon and the response has no discount
So we can try to remove the coupon, change the focus and see what happens on Burp
The response now has a list of all valid coupons
Same happens if we put the /coupons endpoint directly in our browser address bar
So by entering “get_it_for_free” on the lesson page, we get 100% discount and the lesson is complete
HTML tampering 2
You can solve this by changing the cost on the HTML from your browser dev tools, but instead I used Burp Suite
Press “Checkout”
Check the request on Burp, it has a “Total” parameter ready to be tampered with
Get the request on Burp Repeater, change the “Total” value, send the request and the lesson is completed
This concludes WebGoat Client Side lessons
This post is a bit longer than the usual as I thought to put them all together as they are very similar
I hope you liked it.
PVXs — https://twitter.com/pivixih
WebGoat Client Side lessons was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 