Parameter Tampering Bug in a Website

Hello !! Everyone

Today, I am going to show you how I found my first parameter tampering bug in the website.

What is Parameter Tampering Bug ?

Parameter tampering is a type of cyber attack that involves altering the parameters of a website’s URL to gain unauthorized access to a website or application. Attackers can exploit known vulnerabilities by manipulating the input parameters in the URL to change data or execute malicious code.

First, I looked for websites that involved online shopping or buying products that would allow me to change the parameters, such as quantity or price, etc.

Thus, following a few website visits and the execution of the parameter manipulation procedure. I was able to locate a bug on one website.

I’ll explain how I altered the website’s parameter here:

Adding items to the cart was the first thing I did on the website

Later, it was during this process that I noticed a request on the Burp Suite.

Upon completing numerous requests, I discovered the values parameter, which displayed the cost of the item I was adding to my basket. I attempted to change the product’s price and sent the request. At a later point, I discovered that the product’s price in the cart had not changed.

Additionally, it dawned on me to attempt and intercept the request to use Razpay to make an online payment at checkout as the order is being processed.

Thus, following that, I clicked the checkout button filling necessary address fields.

Simultaneously, I attempted to intercept the payment page’s request, which was creating the product’s total amount’s QR code during the checkout process.

Upon reviewing the requests, I received one where the quantity parameter was passed together with the entire price of my product.

Therefore, I promptly changed the amount and sent the request.

Surprisingly, the QR-code got generated.

When I attempted to scan the QR code later.

Joy! My updated pricing was tampered with on the QR code.