#Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay

Hey Guys,

During my recent bug bounty hunt, I came across a very critical and yet simple vulnerability. It was payment price manipulation through which I could book a furnished home with one of the famous home rental app in India at the minimal cost (Rs.1.00).

So, let’s see what the whole vulnerability was.

I had to move to a service apartment from a paying guest accommodation. So I went over the internet and searched for a sharing apartment in a home rental site. I loved a house and thought of paying the advance. I was desperately hunting for a Payment gateway vulnerabilities from past few weeks, so I thought of giving a try on this site. I captured the request using a proxy tool before it hit the Payment Gateway.

The order amount parameter was carrying the amount to be paid, which is “7291.0” INR. Immediately I changed the value to “1.0” INR.

After manipulating the order amount value, I have forwarded the HTTP request and it redirected me to the below Payment gateway (Citrus Pay) page.

After clicking on Pay Now button I captured the request and used trial and error technique. I changed many parameter values from “False” to “True”, but no luck. After so many unsuccessful attempts I got the right one. I changed the “Retry count” from 0(zero) to “positive value”.

Hurray…. It took me to the next page successfully.

There it asked me for my contact details and my credit card details (I selected this payment method) to pay the amount of 1.00 INR. I enter all my details and clicked on Pay. I got an OTP for paying 1.00. After entering OTP, it showed me the success page displayed below.

BHOOM…..I have received the rent receipts for the payment of 7291.0 to my email. And there is one more important thing. I have cancelled the house which I booked and I got the refund of 7291.0 INR instead of 1.0 INR which I actually paid.

Here it is the retry count value manipulation that bypassed the payment checksum validation logic of Citrus Pay. So never ever ignore any parameter, you should validate each and everything which is going to the server from client.

This is simple yet a critical vulnerability and this happens when the price or checksum is not validated back by the server.

Always validate the amount back by the server.

Pull the amount from database and check whether it’s the same value or not.

Create a payment checksum and validate it at server side.

This is all about this interesting finding.

Thanks for reading.

Raghavendra