OWASP Security Shepherd Project - Poor Data Validation 2 (Poor Data Validation Challenge)
Challenge Solution First, let's try to input a negative number -100 in troll. (Both UI and BurpSuite for test both client side & server side validation.) It seems that this time the application do make a data validation for negative number. Let's see if there would be an boundary issue. Try to input 99999999 . Great! We complete the challenge. Now, we know that there is no data validation for data range and there is a buffer overflow when integer is large enough. However, it is not enough. We want to have a stable method to test overflow issue, instead of depending on good luck. Let's try the Intruder feature in BurpSuite! First, let's copy the original place order request and paste it into the Positions field of Intruder. (Of course, we should set target to our Security Shepherd machine in Target tab.) Then, we need to select the integer field that we want to use as payload position. (That is the number of troll we want to buy -