Labs Covered

This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy:

1 Excessive trust in client-side controls

This lab demonstrates how relying too much on client-side validation allows attackers to bypass security checks and manipulate requests directly.

2 High-level logic vulnerability

This lab shows how flaws in business logic can be exploited to achieve unauthorized actions that violate intended workflows.

3 Inconsistent security controls

This lab illustrates how varying levels of security controls across different parts of an application can be exploited by attackers to bypass restrictions.

4 Flawed enforcement of business rules

This lab demonstrates how poorly enforced business logic can enable attackers to manipulate application behavior for personal gain.

---

LAB 1 - Excessive trust in client-side controls

Lab Description :

Solution :

First login as wiener.

Analyze the application flow -

Click on any product, we can see an add to cart button.

Now 1 item has been added to cart.

Clicking on the cart button takes us to final payment page.

In the above process, when clicking on add to cart, the following POST request is sent to */cart

Notice that there is a parameter price=1337. We can try modifying the parameter to some other value.

Send the request

Lab is solved when we place order

---

LAB 2 - High-level logic vulnerability

Lab Description :

Solution :

Log in to the shopping website as wiener.

The price of the leather jacket is $1337 . We need to find a business logic bug to manipulate the price and buy it.

When clicking on add to cart, the following POST Request is sent with a parameter quantity=1337 in the request body.

Add another item and view the shopping cart:

To exploit the pricing vulnerability, intercept the product addition request using a web proxy tool (such as Burp Suite) and modify the quantity parameter to a substantial negative value (e.g., -145).

This manipulation causes the server to miscalculate the total price by subtracting the absolute value of the negative quantity multiplied by the unit price from the original total. In the demonstrated scenario, this results in the price being reduced to $31.40.

The total price of the jacket is $1337 but we were able to buy it just for $31.40 dollars by parameter tampering.

Place the order to solve the lab.

---

LAB 3 - Inconsistent security controls

Lab Description :

Solution :

Access /admin page directly:

It will prompt that only the user dontwannacry can access. Admin panel Register a new user and change or update the email to aa@dontwannacry.com

Now we are able to view the /admin page.

Delete the user carlos to solve the lab.

---

LAB 4 - Flawed enforcement of business rules

Lab Description :

Solution :

When the website loads, we see a message from the developers indicating that:

“New customers can avail additional discounts.”

This implies the site may offer special pricing logic or promotions to first-time users, which may be exploitable if not securely implemented.

• Navigate to the shopping page and add the Leather Jacket to the cart.

💸 Observation

• Apply the available promo code during checkout.
• A $55 discount is successfully applied to the item price.

✅ The promo code is functioning correctly and reduces the purchase total by $55.

At the bottom of the shopping page we have this signup feature .

Signing up for newsletter gives us another $50 dollar discount.

Clicking on place-order button ,the order is placed sucessfully.

🔍 Flawed Logic Analysis

After analyzing the website’s features, we assess the application from an attacker’s perspective and identify potential logical flaws that could be exploited.

🧠 Possible Attack Vectors

1. Attempt to apply the same coupon code multiple times until the product price is reduced significantly.
2. Try alternating between different coupon codes (e.g., promo code and newsletter code) to repeatedly apply discounts.

---

🧪 Case 1: Reapplying the Same Coupon Code

• When we try to apply the same promo code repeatedly, the application displays the following message:

  Coupon already applied.

• This indicates that the application prevents duplicate use of the same coupon, likely through a simple coupon ID check.

🧪 Case 2: Alternating Coupon Codes to Stack Discounts

• When we alternate between the promo code and the newsletter discount repeatedly (e.g., promo → newsletter → promo → newsletter), the system fails to enforce a proper cumulative discount check.

• Each coupon is accepted again despite previously being applied in a different order.

Place the order to solve the lab.