# Part 6 Lab Solutions

Video Activity

In this lab-based lesson, participants receive a lab and corresponding solution about specifically exploiting fields in a web page. In this lesson, the instructor uses insecure direct object references to manipulate price points on an online shopping site. Using the input field code, the instructor turns on the inceptor function in Burp Suite to ca...

Join over 3 million cybersecurity professionals advancing their career
or

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

In this lab-based lesson, participants receive a lab and corresponding solution about specifically exploiting fields in a web page. In this lesson, the instructor uses insecure direct object references to manipulate price points on an online shopping site. Using the input field code, the instructor turns on the inceptor function in Burp Suite to capture a request to change parameters. This demonstrates how easy it is to make a change and get users to click on it, capturing their data.

Video Transcription
00:04
Hello and welcome to the cyber very secure coding course my name Miss anywhere, and this is a lost top 10 for 2013. A four insecure direct object reference lab in Solution. This is Web goat
00:20
insecure, direct object reference. Exploiting hidden fields.
00:25
This is the lab in lab solution for indirect object reference,
00:30
specifically exploding hidden fields in a Web page.
00:35
Now how you get to this exercises in Web goat. Go down to perimeter tampering, Exploit hidden fields. Now, when you reach this page, what you'll see is a shopping cart.
00:49
There is a 56 inch HD TV for sale for \$3000.
00:55
Now, if we didn't want to pay the \$3000 what we could do instead is try to see if there's an insecure, direct object reference to the price and change it instead to zero.
01:08
So how we could do that is first, let's go ahead and view the source of the page
01:18
and then search for
01:22
the word price.
01:26
Now it says that there's nine matches
01:29
and I happen to know that the very last one
01:33
is the input field.
01:37
So we can see here that there's an input field
01:40
and it is of type hidden.
01:44
So let's go ahead and turn on burbs. Sweet.
01:48
Okay, I'm gonna go ahead and turn my interceptor on for burb Sweet.
01:52
And then minimize that
01:56
and I'm going to click update cart.
02:00
So you capture that request,
02:04
you can take a look at the parameters that are getting passed in.
02:09
So we clearly have, Ah, quantity.
02:13
We have a submit action.
02:15
And then here we have the price. Wow, that makes it really easy. All I have to do is change this
02:24
two
02:25
all zeros and then forward that
02:30
Stern minor shipped her off,
02:35
and you can see that now. My total price is
02:38
\$0.
Up Next