July 7, 2026
HACKING JULY DAY 6: JUICE-SHOP BROKEN ACCESS CONTROL(Part II)
In the last article on 6th July, I tackled the juice-shop ‘view basket’ challenge. Feel free to check it out.
By Given Quincy
2 min read
Today's Challenge
In today's challenge I will be putting into practice a concept known as HTTP Parameter Pollution(HPP). HPP occurs when a web application processes multiple parameters with the same name differently across its components enabling verification bypass.
The challenge
Manipulate Basket - 3 starsManipulate Basket - 3 starsThe tools
Burp suite
The frontend of juice-shop web applicationBurp suite
The frontend of juice-shop web applicationIn this challenge, we are supposed to add an item to the basket of another user.
First I tried adding it directly using the 'IDOR method'(Changing the basket ID directly without any further modification). As you might know, that did not work, I got a 401 Unauthorized.
From the error, we can see that the problem is the basket ID. What if I start with my actual basket ID and then add the target's basket ID afterwards (HTTP parameter pollution). The web application will verify that the basket ID is the 'correct' one because the first basket ID will be my actual basket ID.
For the target's basket ID, it will not go through a security check because the first basket ID in the request has already passed the security check.
Practical Steps
- Added the "BasketId" key at the bottom and give it the value "<target_basket_ID>"
My basket ID is 6
The target basket ID is 2
It should look something like:
{
"ProductId":19,
"BasketId":"6",
"quantity":1,
"BasketId":"2"
}{
"ProductId":19,
"BasketId":"6",
"quantity":1,
"BasketId":"2"
}Before adding the item I checked the basket ID 2 and it had only one item
The result will be a 200 OK and the item will be added to the target basket — a not so pleasant surprise for the user.
The challenge is solved
If you put the target basket ID before your actual basket ID in the JSON-part of the request, you will get a 401 Unauthorized — the security check is done on the first basket ID on the JSON-part of the request.
Incase you are trying the process again for practice, change either the ProductId or the BasketId. You will get a 500 Internal Server Error — You cannot add(POST) the same product more than once.
Feel free to check the walk-through on the user credentials challenge.
I appreciate your time.