#BugBounty — “How I was able to shop for free!”- Payment Price Manipulation

Hi Guys,

During my recent bug bounty hunt, I came across a critical and yet simple vulnerability.It was payment price manipulation through which I could buy any product at the minimal cost. So, lets see what was the whole vulnerability-

I had to buy a wedding suit to attend a wedding ceremony so I went over internet where I came across a popular Indian shopping site and started my hunt. For some days, I was looking to find some bug in payment gateways and this came at the exact right time. So I captured the request before it hit the payment gateway —

Note the amount parameter carrying the amount to be paid which is here as “Rs. 1104.00” (INR) and without any hesitation, I tampered the price value , entered “119” which means 1.19 (INR) and forwarded the HTTP request. Next, I was redirected to bank payment page as you can see below -

Whoaa! The final prize is “1.19” , I had a huge smile on my face and then I proceed further to get this —

Order Successfully Placed

Order was placed successfully and I paid just 1.19 INR for 1104.00 INR :D. So simple yet so critical vulnerability and this happens when the prize is not validated back by the server. It was a surprise that still such simple loopholes exists and developers misses the validation of prize. Some secure steps that can be taken to prevent against such kind of attacks —

Always validate the prize back by the server.

Pull the prize from db and check whether it’s the same prize.

Refrain from sending amount in http request rather send only product id.

Thanks for reading!
This is all about this interesting finding. ☺

~Logicbomb ( https://twitter.com/logicbomb_1)(https://www.reddit.com/user/logicbomb_1/)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store