How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program
“The greatest gift you can give yourself is a little bit of your own attention.” ~Anthony J. D’Angelo
It all started with this awesome quote and I began exploring about gifts, As usual, After 10–15 minutes I lost my vision and landed on a gift shopping website and started browsing like a small kid ..umm, I want this , I want that, ohh! I want all. But while going through, I unintentionally opened my console and begin searching for XHR calls and source code, recalling my good old days when I used to learn bootstrap and css. I am opening and analysing everything like a child and trying to understand the web app-flow and my mind is connecting every single dot for making a complete API flow or I can say one product purchase flow. I am noting everything on notepad++ and wow, I see something weird. I am doubtful about the secure checkout method. Curiosity to know this leads me to perform MITM (Man In The Middle) test. oh, I forgot to tell you that I am shopping with the mobile app (android app) although I used my laptop to pass traffic from my penetration testing tool. I got the plain-text product_amount which caught in uncertainty.
I’m not sure about the impact of changing this. So, I decided to give it a try because I must know the reason. I changed it and forward my request to the server. My request is successfully processed without any validation. well, I thought they put validation layer after payment (on those success and failure web-hook which every programmer configured in payment module). I paid 1Rs. and the original price before changing was 725 (as you can see in the screenshot) and finally, I found a serious vulnerability ~ price manipulation
Website of this vulnerable mobile application is free from this vulnerability.
This is a short explanation of how I got lucky!
As you can see most people are doing basic recon on the target looking for reflected XSS, open redirect or exposed directories. You need to be extremely lucky to find that sort of low hanging fruit but it doesn’t hurt to try.
As far as this finding goes, I submitted my report and waiting for reply!
April 15, 2018: Report Submitted and triaged