How I doubled the store wallet amount for free?

Hello guys, I hope you all are doing well.

In this blog, I am going to show you, how in famous e-commerce store, I was able to double my wallet balance and how I increased the amount beyond 2000 Rs limit.

I recently, came across popular e-commerce website which has clothing items. As this is private testing, I will call the domain redacted.com in this walkthrough. I was given the below URLs as in the scope.

1. https://cart.redacted.com/cart
2. https://cart.redacted.com/checkout
3. https://cart.redacted.com/order-listing
4. https://cart.redacted.com/order-status
5. https://cart.redacted.com/order-cancel
6. https://cart.redacted.com/order-details

Overview of the application — The application has wallet which contains two options “Redacted Credit” and “Redacted Cash”. Now, when user places an order, the “Redacted Credit” is automatically deducted from the final total. If user has “Redacted Cash” then there is an option in the cart page to select that cash amount as well to deduct from the final total. But there is a catch, if the wallet amount is applied then users cannot use “Cash On Delivery” as an option, either UPI/Netbanking or Debit/Credit Card can be used to place an order. The company had provided few amount in “Redacted Wallet” and 500Rs as “Redacted Cash”.

Note: “Redacted credit” is only credited to the account using cashback vouchers. There is no user interaction that you can manipulate it. And “Redacted Cash” will be credited through refund or gift card.

Initially, I was not able to find anything interesting. Only vulnerabilities I found was, in one API, session was not validated and in second API, random PII data was visible. I was not interested in it. I tried a lot of things like adding item, placing order, cancelling the item and seeing Burp history and reading JavaScript for some secrets or requests that can get me a high vulnerability and the result was null.

I took some break and come back, and I tried to place an order again and capture all the requests freshly in Burp Suite. The initial wallet balance is shown below →

1. Initial wallet balance

I fired up my Burp and added one item in the cart for Rs 999. As per the flow, the application automatically used credit amount Rs 999 and deducted from overall total. The overall total was “0” Rs.

2. order value

As expected, when I clicked “Order Now” button, the application placed an order of that item and when I checked my “My Orders” page, the order was confirmed.

3. checkout page

4. order confirmed

As this order was placed fully using “Wallet Amount”, I checked my Burp and found one interesting API that was having one parameter “Payment-type”, which was responsible for creating and placing an order. The remaining amount was “300 Rs”.

5. API for placing order.

6. left balance in wallet.

I had observed earlier that when we click “Proceed” button to redirect the application to “checkout” page, there is a “checkout.json” request made to server. The request’s cookie parameter was having identifier and JWT and also, it is possible it might be using “session_id” and store information in it because that request was used to check for the products that were added in the cart.

7. checkout.json request -> contains all info about product and cart value.

As per the flow of the application, when cart utilizes “Redacted Wallet” amount, then users cannot place the order using “Cash on Delivery” option. They have to pay the rest amount using NetBanking/UPI or Debit/Credit Card. I thought, what if I force the application to place the order using “Cash on Delivery” option when it is utilizing the “Redacted Wallet” amount, to check how it behaves and how it will utilize the wallet amount.

8. sample request of API responsible to placing order.

So, I added 2 same items in the cart and obviously, application will use the rest wallet amount which is “300 Rs” and deduct from overall total.

9. New Order

10. Checkout Page

So, as I mentioned earlier there was an API to place the “Order” having “payment_type” parameter. I clicked the “proceed” button and as expected application made a “checkout.json” request.

11. checkout.json request -> copy the cookie

I copied whole “cookie” header and pasted in that “Order” API and change the value of the “Payment_type” parameter to “COD” to force the application to place an order using “Cash on Delivery” and BOOOOOMM!!!! application did place an order and it had used “300 Rs” from the wallet. So currently, tracking, I have 3 orders confirmed in “My Orders” page.

1. Order with 999 Rs.
2. Order with 999 Rs x 2 = 1998 Rs.

As soon as, it got confirmed, I cancelled all the orders. Then, I opened “My Wallet” page and refreshed the page. Voila, I did receive extra 300 Rs in my wallet.

12. API request replaced with latest cookie from checkout.json request

3 orders placed and confirmed.

14. first and second order cancelled.

15. cancelling first order

16. breakup of first order.

17. updated wallet balance.

How it happened?

It was observed, that when we force application to place an order with “COD” when it is using “Redacted Wallet” amount, the server miscalculate the value when we cancel. So, the amount which was deducted from second order which was “300 Rs” was received back but also the item value was also credited to the wallet which was “Rs 999”. And after cancelling the first order, I got that used “999” Rs. Now, technically, 999 + 999 + 300 should be 2298 Rs. To get the extra Rs, I reformed the above steps, and I got the whole 2000 Rs credited to my wallet.

How I was able to bypass 2000 Rs limit?

I saw in “My Wallet” page that the application has limitation to store up to 2000 Rs. As the vulnerability was crediting extra cash, I thought of reperforming again and again to reach beyond 2000 Rs. And again, I was disappointed as I was not able to add extra money. Here there is a catch, the mentioned vulnerability only helped me to get beyond 2000 Rs limit. Here is the catch, instead of playing with small amount orders, what I did was, first I ordered “Rs 1399” product and as expected “Redacted Credit” was utilized automatically. So, the total of the first order was “0” Rs.

18. Order of 1399 Rs.

19. Checkout page

The final amount was “601 Rs” left in the “Redacted Credit/Wallet”.

20. Updated wallet balance

Then as above I ordered same 2 items and application deducted “601 Rs”.

21 — Application using left credit balance.

I copied the “checkout.json” request’s Cookie and forcefully placed the order using “COD” as mentioned above.

22. Response of Order API

23. Order Confirmed

Then cancelled all the orders one by one as fast as possible and BOOM!!! I got 601Rs extra. So, the final amount in the “Redacted Wallet” was “2601 Rs”. Now, if we refresh the wallet, the server will deduct 601 Rs as the limit in the application is “2000 Rs”. So, I placed the order without refreshing the wallet and application used “2601 Rs” and deducted from the final amount.

24. Orders Cancelled

25. Updated Wallet Balance

26. Ordering Items with extra money

27. Checkout Page and application using money beyond its limitations.

This is how common business logic bypass helped me to get free money from popular e-commerce website.