| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Client-Side Price Manipulation |
| Difficulty | Apprentice |
| Objective | Buy a "Lightweight l33t leather jacket" for an unintended price |
Excessive Trust in Client-Side Controls¶
I logged in as wiener:peter — store credit $100.00, jacket costs far more.
Adding the jacket to the cart fired a POST /cart with this body:
POST /cart HTTP/2
productId=1&redir=PRODUCT&quantity=1&price=133700
price is a client-controlled parameter in the request body — including it there is the root mistake. Even if this field is hidden from the UI, it's trivially accessible and modifiable via a proxy. The server should look up the real price by productId when processing the cart, not trust whatever the client submits.
Modifying price to 1:
productId=1&redir=PRODUCT&quantity=1&price=1
Jacket in the cart at $0.01. The server accepted whatever price value was submitted without validating it against the actual product price. Placing the order:
Lab solved