An easy way to find bugs: Enter wrong data

If you’re looking to find something, don’t follow the path that’s already been prepared, try a strange path

I want to write about a usual and still important way to find bugs; I myself found a very important bug using this method, which led to purchasing even VIP tickets without paying any money. It was on one of the online ticketing websites for events, concerts, and theaters. I’m not mentioning the website’s name, and after I reported it, hopefully they fixed the bug.

The reason I’m writing about it now is that I normally use this method to find flaws in other web apps as well. Not always, but it often works. This is a common method for finding bugs, and it’s a question for me why developers don’t test it themselves. The problem may lie in weak design, not your codes. So, test it.

The method is quite simple: in online selling systems, add a small item to the cart, maybe you have a valid discount code, add that too, proceed to the checkout stage, and observe and record all the requests and responses (Burp Suite will help you a lot). Read them all and understand what’s happening. Then, try proceeding with an invalid discount code, and again, read the requests and responses. Understand what requests are being sent and what responses are being returned. Now start the game.

Does sending a successful response of a previous discount code validation or purchase trick the system? Can you use the ID of a valid discount code you used in a previous purchase? Some discount codes have group IDs; maybe you can use these IDs! Some systems have weak security designs.

Using the ID of a valid discount code in a subsequent purchase may lead to results, although this depends on the specific design and implementation of the system. Some discount codes may be specifically assigned to an individual or group and may only be usable for subsequent purchases by that individual or group.

However, some systems may have security weaknesses that make these methods positively impactful on purchases. For example, if a system has a security flaw in discount code validation and only checks the validity of the code without verifying the owner of the code, reusing a valid discount code might yield results.

These methods can be useful for security testing and identifying system weaknesses. By testing these vulnerabilities, programmers can enhance system security and make necessary improvements in design and implementation.

As you can see, the method is simple: understand the system and try entering incorrect data, do something the system doesn’t expect, some times you need to compare the incorrect result with the expected one, see how you can play with that.

This behavior isn’t just about finding bugs, it’s valid for any system you want to bypass.