Some Basic Web Penetration Testing (using burp suite)

Today I played around with the repeater part of burp suite.  There was a CTF challenge that was setup like a purchase screen, and it told you to buy a specific number of items that cost a total of $216. for free.  At first, I tried previous methods like looking for a way to change the value of the item but that doesn’t work because when you change the code it only affects your local copy of the website.  Then it hit me: could I use negative numbers for another item?  The hard part was doing math to multiply an item to equal the value, change the code in the repeater of Burp and voila! I got my item for free.  Challenge completed (Took me about an hour to figure out, then play around with potential fixes and another 5-10 minutes to get right combo.)

Post Author: InfoSecJon

Info Sec Professional, Pen-Testing noob

Leave a comment or suggestion!