Test the security of Jack Frost's slot machines. What does the Jack Frost Tower casino security team threaten to do when your coin total exceeds 1000? Submit the string in the server
data.responseelement. Talk to Noel Boetie outside Santa's Castle for help.
Hints provided for Objective 4
- It seems they're susceptible to parameter tampering.
- Web application testers can use tools like Burp Suite or even right in the browser with Firefox's Edit and Resend feature.
The hints are very helpful here. By opening the slot machine in Firefox and looking in the “network” tab of the developers tools we see that a POST request to a file called spin is made every time that the spin button is pressed on the slot machine. The POST request passes on the bet amount, the number of lines and the bet size each time.
By using the Edit & Resend option in Firefox, I was able to edit the parameter for the bet amount to a negative value, so for every unsuccessful spin, my balance would increase instead of decrease.
Looking at the server response it looks like someone’s not too happy about this!
