This lab’s purchasing flow contains a race condition that enables you to purchase items for an unintended price.

To solve the lab, successfully purchase a Lightweight L33t Leather Jacket.

You can log into your account with the following credentials: wiener:peter.

1. Log in to your Account with wiener:peter
2. Turn on the Proxy On and Turn on the Intercept.
3. Now, try to add a gift card to the cart and buy it.
4. In Burp’s http history send the POST /cart Request and POST /cart/checkout Request to the Repeater.
5. Right-click a tab and add it to a group.
6. Then try to send the group request in Parallel, if you see an error for HTTP versions — then try to send the /cart request as a single request or By adding HTTP/2. (See the Above video for Reference)
7. Now, again send the POST /cart Request and POST /cart/checkout Request to the Repeater. But change the value of product ID to 1 in /cart.
8. So now we should have 4 requests in the repeater, make sure the 4 requests are in the same tab like
   /cart , /cart/checkout, /cart, /cart/checkout
9. Now remove the items in the cart and send the request in parallel.
10. Do this continuously until the jacket is purchased. Then the lab will be solved.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Telegram Channel for Free Ethical Hacking Dumps

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng