Lesson Plan Title: Insecure Client Storage

Concept / Topic To Teach:
It is always a good practice to validate all input on the server side. Leaving the mechanism for validation on the client side leaves it vulnerable to reverse engineering. Remember, anything on the client side should not be considered a secret.

General Goal(s):
For this exercise, your mission is to discover a coupon code to receive an unintended discount. Then, exploit the use of client side validation to submit an order with a cost of zero.

Solution:
For the solution you need a plugin for your browser, which is capable of debugging Javascript. For IE you can use IEWatch. This solution is written for Firebug which is a plugin for Firefox.

Stage 1

First we want to try to get a coupon code to get something cheaper. Open Firebug and click on the Script Tab. Make sure you choose clientSideValidation.js on the dropdown list. Toggle a breakpoint on the line:
decrypted = decrypt(coupons[i]);

Now enter a character in the coupon code field. The Javascript gets executed but stops at the breakpoint. On the right side you see the parameters and there values. Now use the step over symbol or F10. Now you can read the clear text of decrypted:
Stage 1 Figure 1 Firebug in action

Now that you know the coupon name enter it in the coupon field, purchase something and you are done.

Stage 2

You can not edit the Prices in the Shopping Cart. The reason is that the readonly attribute is set for this field.

To get rid of this attribute open Firebug. Make sure this time you use the HTML View. You can directly in Firebug search for readonly and elemenate this attribute.The field for the total is called GRANDTOT. After having deleted the readonly attribute from GRANDTOT it is possible to change the price directly in the browser. Select any products you like, change the total field to 0 and hit the purchase button.