| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Business Logic — Workflow Step Bypass |
| Difficulty | Practitioner |
| Objective | Exploit a flawed purchasing workflow to buy the "Lightweight l33t leather jacket" |
Insufficient Workflow Validation¶
I logged in as wiener:peter and found the jacket.
Added it to the cart and attempted checkout:
"Not enough store credit for this purchase." I went through a successful checkout with a cheaper product first to understand the workflow:
POST /cart/checkout HTTP/2
→ 303 See Other
Location: /cart/order-confirmation?order-confirmed=true
The confirmation page at /cart/order-confirmation?order-confirmed=true loads and places the order. Observing the successful workflow with a cheaper product was what revealed the confirmation URL structure — the server treats arriving at that endpoint as proof of a valid purchase without re-validating payment. The order-confirmed=true parameter is client-controlled, and the confirmation step is entirely decoupled from the payment step.
I added the jacket to the cart, clicked place order — checkout failed with insufficient funds and the browser landed on /cart?err=INSUFFICIENT_FUNDS. I then modified the URL directly to:
/cart/order-confirmation?order-confirmed=true
Now the lab is solved