Ensure the owaspbwa VM is running. Select the OWASP WebGoat application from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine.
After you click the OWASP WebGoat link, you will be prompted for login credentials. Use these credentials: User Name: guest; password: guest.
After authentication, click the Start WebGoat button to access the application exercises.
Click AJAX Security | Insecure Client Storage from the left-hand menu. You are presented with a shopping cart:
Switch to Burp's Proxy | HTTP history tab, Click the Filter button, and ensure your Filter by MIME type section includes Script. If Script is not checked, be sure to check it now:
Return to the Firefox browser with WebGoat and specify a quantity of 2 for the Hewlett-Packard - Pavilion Notebook with Intel Centrino item:
Switch back to Burp's Proxy | HTTP history tab and notice the JavaScript (*.js) files associated with the change you made to the quantity. Note a script called clientSideValiation.js. Make sure the status code is 200 and not 304 (not modified). Only the 200 status code will show you the source code of the script:
Select the clientSideValidation.js file and view its source code in the Response tab.
Note that coupon codes are hard-coded within the JavaScript file. However, used literally as they are, they will not work:
Keep looking at the source code and notice there is a decrypt function found in the JavaScript file. We can test one of the coupon codes by sending it through this function. Let’s try this test back in the Firefox browser:
In the browser, bring up the developer tools (F12) and go to the Console tab. Paste into the console (look for the >> prompt) the following command:
decrypt('emph');
You may use this command to call the decrypt function on any of the coupon codes declared within the array:
After pressing Enter, you will see the coupon code is decrypted to the word GOLD:
Place the word GOLD within the Enter your coupon code box. Notice the amount is now much less. Next, click the Purchase button:
We receive confirmation regarding stage 1 completion. Let's now try to get the purchase for free:
Switch to Burp's Proxy | Intercept tab and turn Interceptor on with the button Intercept is on.
Return to Firefox and press the Purchasebutton. While the request is paused, modify the $1,599.99 amount to $0.00. Look for the GRANDTOT parameter to help you find the grand total to change:
Click the Forward button. Now turn Interceptor off by clicking the toggle button to Intercept is off.
You should receive a success message. Note the total charged is now $0.00:
