Open in app

Sign in

Write

Sign in

Payment Gateway Bypass on Government Domain.

RootKid 🤖 🤖 🤖
Nest InfoSec
Published in
3 min readDec 15, 2022

Hey Guys !!!

What’s up! Hope you are doing well. So in this blog post, I would like to share with you about the Payment Gateway Bypass found in the Government domain. The vulnerability has been patched. let’s begin…

Overview

The vulnerability was found on the website which is used to pay Challan online to Ahmedabad Traffic Police. So the basic requirement was to have a vehicle registered under Ahmedabad RTO which has some amount of challan in it.

Exploitation

When you visit the home page of the website, it presents you with a field to give your vehicle No. which is registered under Ahmedabad RTO.

Home Page

On the next page, it shows you all the challan you have to pay. Select one/all of them.

Challan page — 1
Challan page — 2

Note: Sorry for not having clear POCs, as it is important for me to hide all sensitive data for security reasons.

On intercepting the payment request, we can see the amount of challan going from there. On Changing its value to some lower value still, it would pass the payment. Check the POCs attached below.

Original request with challan amount of ₹ 1300
Manipulating the value of challan to ₹ 1

After manipulating the value of challan, we get a payment gateway of SBI.

SBI Payment Gateway.

On Payment Gateway, we can see that it shows we have to pay ₹0 to clear our challan. This proves that we have successfully bypassed Payment Gateway for our challan payment.

Receipt of clearing challan of ₹ 1300

Second Vulnerability

After receiving the receipt of the challan payment, I noticed that on the top left corner there is a download button. I decided to check if there is any other vulnerability to be exploited…

Receipt of challan payment

I was right !!! I found an IDOR there. On intercepting the request of the download button I found out there is a receipt id parameter going through the request.

The original request for my challan receipt

My challan receipt id was ***9242 I changed it to ***9241, I got to see the challan receipt of some other person.

Manipulating the value of receipt id
Challan Receipt of some random person.

In return, I did not get anything for this. But overall after reporting 40+ vulnerabilities in the Government domain to National Critical Information Infrastructure Protection Centre (NCIIPC), I got my name mentioned in April 2022 Newsletter.

Newsletter of April 2022

Connect With R00tKid on Social Media

GitHub: @im-rootkid
Twitter: @im_rootkid
Instagram: @im_rootkid/
LinkedIn: @pavan-saxena-

Thank You For Reading,

Happy Hacking !!!!

Hacking
Bug Bounty
Idor
Government
Penetration Testing

--

--

Nest InfoSec
Nest InfoSec

Published in Nest InfoSec

18 Followers
Last published Jul 26, 2023

We, as a community, are dedicated to assisting beginners or any curious individual in entering the field of cybersecurity as professional experts. We cover a wide range of topics including Red Teaming, Blue Teaming, Network and Application Security Testing, OSINT, Compliance, SOC

RootKid 🤖 🤖 🤖
RootKid 🤖 🤖 🤖

Written by RootKid 🤖 🤖 🤖

138 Followers
16 Following

Learner 📖 | Ethical Hacker 💻 | Penetration Tester 🧑 | Bug Hunter 🐞 |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams