Part 6 Lab Solutions

Video Activity

In this lab-based lesson, participants receive a lab and corresponding solution about specifically exploiting fields in a web page. In this lesson, the instructor uses insecure direct object references to manipulate price points on an online shopping site. Using the input field code, the instructor turns on the inceptor function in Burp Suite to ca...

Join over 3 million cybersecurity professionals advancing their career

Sign up with

Required fields are marked with an *

or

Sign up with Google

Sign up with Apple

Sign up with Microsoft

View all SSO options

Already have an account? Sign In »

Course

Time

9 hours 31 minutes

Difficulty

Intermediate

CEU/CPE

10

Video Description

In this lab-based lesson, participants receive a lab and corresponding solution about specifically exploiting fields in a web page. In this lesson, the instructor uses insecure direct object references to manipulate price points on an online shopping site. Using the input field code, the instructor turns on the inceptor function in Burp Suite to capture a request to change parameters. This demonstrates how easy it is to make a change and get users to click on it, capturing their data.

Video Transcription

00:04

Hello and welcome to the cyber very secure coding course my name Miss anywhere, and this is a lost top 10 for 2013. A four insecure direct object reference lab in Solution. This is Web goat

00:20

insecure, direct object reference. Exploiting hidden fields.

00:25

This is the lab in lab solution for indirect object reference,

00:30

specifically exploding hidden fields in a Web page.

00:35

Now how you get to this exercises in Web goat. Go down to perimeter tampering, Exploit hidden fields. Now, when you reach this page, what you'll see is a shopping cart.

00:49

There is a 56 inch HD TV for sale for $3000.

00:55

Now, if we didn't want to pay the $3000 what we could do instead is try to see if there's an insecure, direct object reference to the price and change it instead to zero.

01:08

So how we could do that is first, let's go ahead and view the source of the page

01:18

and then search for

01:22

the word price.

01:26

Now it says that there's nine matches

01:29

and I happen to know that the very last one

01:33

is the input field.

01:37

So we can see here that there's an input field

01:40

and it is of type hidden.

01:44

So let's go ahead and turn on burbs. Sweet.

01:48

Okay, I'm gonna go ahead and turn my interceptor on for burb Sweet.

01:52

And then minimize that

01:56

and I'm going to click update cart.

02:00

So you capture that request,

02:04

you can take a look at the parameters that are getting passed in.

02:09

So we clearly have, Ah, quantity.

02:13

We have a submit action.

02:15

And then here we have the price. Wow, that makes it really easy. All I have to do is change this

02:24

two

02:25

all zeros and then forward that

02:30

Stern minor shipped her off,

02:35

and you can see that now. My total price is

02:38

$0.

Up Next

Part 2 Explanations

Part 3 Dir Demo

Part 4 XXE Demo

Part 5 User Agent Demo

Instructed By

Sunny Wear

Similar Content

Python Coding - Basic

Python Coding - Basic

The Python Coding - Basic test is a premium Cybrary assessment test created by iMocha. ...

Kali Linux Fundamentals

Kali Linux Fundamentals

If you’re interested in penetration testing and ethical hacking, then this Kali Linux course is ...

1CEUs

AWS CloudFormation

AWS CloudFormation

The AWS CloudFormation Test is a premium Cybrary assessment created by iMocha. The exam accesses ...