- Ensure the owaspbwa VM is running. Select the OWASP WebGoat application from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine:
- After you click the OWASP WebGoat link, you will be prompted for some login credentials. Use these credentials: User Name: guest Password: guest.
- After authentication, click the Start WebGoat button to access the application exercises:
- Click Concurrency | Shopping Cart Concurrency Flaw from the left-hand menu:
The exercise explains there is a thread issue in the design of the shopping cart that will allow us to purchase items at a lower price. Let's exploit the design flaw!
- Add 1 to the Quantity box for the Sony - Vaio with Intel Centrino item. Click the Update Cart button:
- Switch to Burp Proxy | HTTP history tab. Find the cart request, right-click, and click Send to Repeater:
- Inside Burp's Repeater tab, change theQTY3 parameter from 1 to 10:
- Stay in Burp Repeater, and in the request pane, right-click and select Request in browser | In current browser session:
- A pop-up displays the modified request. Click the Copy button:
- Using the same Firefox browser containing the shopping cart, open a new tab and paste in the URL that you copied into the clipboard in the previous step:
- Press the Enter key to see the request resubmitted with a modified quantity of 10:
- Switch to the original tab containing your shopping cart (the cart with the original quantity of 1). Click the Purchase button:
- At the next screen, before clicking the Confirm button, switch to the second tab, and update the cart again, but this time with our new quantity of 10, and click on Update Cart:
- Return to the first tab, and click the Confirm button:
Notice we were able to purchase 10 Sony Vaio laptops for the price of one!
