| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Negative Quantity Manipulation |
| Difficulty | Apprentice |
| Objective | Buy a "Lightweight l33t leather jacket" for an unintended price |
High-Level Logic Vulnerability¶
I logged in as wiener:peter and found the jacket.
Adding it to the cart and intercepting:
POST /cart HTTP/2
productId=1&redir=PRODUCT&quantity=1
No price parameter this time — but quantity is client-controlled. Trying quantity=-3:
Cart total showed -$4011.00. The server accepted a negative quantity without complaint. Trying to place the order returned:
Cart total price cannot be less than zero
GET /cart?err=NEGATIVE_TOTAL
The server validates that the cart total isn't negative at checkout, but doesn't validate that item quantities are positive when adding to the cart — two separate checks with a gap between them. Adding a cheap product at a large negative quantity effectively creates a discount that reduces the total, without the server questioning whether negative quantities make business sense. The goal was to land the total between $0 and $100 (store credit limit).
I kept the jacket at +1 and adjusted a cheap item at negative quantity until the total landed within range:
Lightweight "l33t" Leather Jacket $1337.00 1
Eggtastic, Fun, Food Eggcessories $73.34 -18
Total: $16.88
$16.88 within the $100.00 store credit. Placing the order:
And lab solved...