Dec 3, 2021
WebAppSec: Parameter Tampering
Good day everyone!
This vulnerability was on a VPN site and they were running their responsible disclosure program. The scope of the program included network and Web Application.
As it was a product site, I immediately went to check their products and prices and they were offering a VPN software and license for 1 year with amount 40€ and including some discount for 3 years with amount 99€.
The next thing that sprang to mind was to check for the Parameter Tampering vulnerability, so I went to buy a 3-year license, added the VPN to my basket, and proceeded to the checkout page. On that page I could make my payment on one of the 3 different payment gateways including PayPal, Debit/Credit Card Payments and Cryptocurrency.
So, I selected PayPal and clicked on buy then the very next thing the post request was captured in Burp Interceptor and it was an JSON request to PayPal and I saw the amount getting reflected as 99€.
and then i changed that amount to just 1€ and PayPal accepted my payment.
While redirecting back to the website, I examined the response code, which was 200 OK, and there were no validations for the amount in the JSON response, indicating that my transaction was successful, and I received a product license worth 99€ for only 1€.
After that, I informed the company of my results, and they instructed me to supply an account id and transaction number for validation, which I did.
They confirmed the transaction id and discovered that the vulnerability affected three payment gateways, thus they paid me a bounty of 900€.
Mitigation
Use a whitelist format for the application’s inputs.
Validate data using MD5 digest
Thank you for taking the time to read this; I hope you enjoyed it.
