Not all vulnerabilities require complex payloads or advanced techniques. Sometimes, simply entering a negative number is enough. In this scenario, the application's failure to restrict quantity values to positive integers led to unintended price manipulation.

PortSwigger's High-Level Logic Vulnerability lab provides a great way to focus on this topic. This write-up will be a simple step-by-step guide, so if you're new, do not worry!

1- Open BURPSUITE and use BurpSuite's Browser:

We'll visit the required pages with the browser of BurpSuite. For now, Intersept should be off!

2- Create an account on PortSwigger

3- Click-on Academy section

4- Go through All Content > All Labs

5- Scroll down on the All Topics panel, and choose Business Logic Vulnerabilities

Select High-Level Logic Vulnerability Lab

Now, we have the details of the lab and the credentials (username: wiener; password: peter). Hover over Access the Lab and click on it:

Select My Account to enter credentials:

username: wiener; password: peter

Turn back to Home:

6- Select View Details

Now, we're on the exact page to solve the question:

We'll examine two different vulnerabilities: a) Can we make the system pay us by inputting negative values into the quantity field? b) Can we reduce or eliminate the amount we have to pay by inputting negative values into the quantity field?

Let's start with the first question:

7- Can we make the system pay us by inputting negative values into the quantity field?

Ensure that "Intercept is On" in BurpSuite:

Turn back to the browser, scroll down, and click on "Add to cart":

At this point, Burp Suite catches the request. Alter the quantity value from 1 to -2, and Forward it:

Then make "Intercept is Off" again in BurpSuite:

Look at the browser again; you'll see a negative number indicating the quantity of the product we selected:

When faced with such a situation, the thought that comes to mind is: The system seems to owe us this amount! They should have fixed this security vulnerability; otherwise, we can collect the amount we want from the system. Let's check the security vulnerability by clicking the "Place Order" button:

The system prevents us from exploiting this vulnerability. With this way…. I mean, the negative quantity vulnerability is still over there. Let's find another way to exploit this vulnerability. Remove the items from the cart.

8- Can we reduce or eliminate the amount we have to pay by inputting negative values into the quantity field?

Let's add 1 Lightweight "l33t" Leather Jacket to our chart:

Then, we'll add another item to our chart. I prefer the Baby Minding Shoes:

After clicking "View Details", make sure "Intercept is On" in Burp Suite:

Go back to the browser, and select "Add to cart":

Look at the Proxy Section in Burp Suite:

Now, our aim is to reduce or eliminate the price of the jacket by inputting negative values into the quantity field of the Baby Minding Shoes. The jacket costs $1337, while the Baby Minding Shoes cost $3.70. To determine the required quantity, we divide 1337 by 3.70, which gives approximately 361. This means we need 361 units of the Baby Minding Shoes to offset the jacket's price. To achieve this, we modify the quantity field using a negative value — instead of entering 361, we input -361.

Forward the request, and after that, make sure "the Intersept is Off" in Burp Suite:

Turn back to the browser and see the magic, sorry vulnerability :)

Place order, and VOILA!:

We reduced the price of the jacket from $1337 to $1.30.

Hope you like the lab! Eager to meet you in another lab! Bye!