BOOK THIS SPACE FOR AD
ARTICLE ADThis is an e-commerce application, which is a digital platform that facilitates buying and selling goods or services over the internet. The application provides n of features to enhance the user experience.
In this blog, we’ll deep dive into several business logic flaws that can pose significant risks to both the financial stability and reputation of a company. We’ll explore how attackers can exploit these flaws to their advantage, potentially causing substantial damage. By understanding these vulnerabilities, businesses can take proactive measures to mitigate risks and safeguard their operations and reputation.
Description of the feature:
The application has a feature to provide 1-month of free access to a pro account to the user, who is using the referral code of their friends, while signing-up for the application.
Attack Scenario:
While signing up for the application, the attacker must find the HTTP request, which gives the pro account for 1 month. The attack will change the no of days to n days and the attacker will get access to pro for unlimited days, which is a huge financial loss for that organization.
Step To Perform Attack:
Enter the referral code and capture the request.Replace the reward_duration value from n of days and forward the request.The attack will get access to the pro account for n of days.Description of Feature:
This online application has a chat support system, through which you can raise your concern and cancel the product, or do inquiries about the product.
Attack Scenario:
This chat system does not have backend checks, which means if you send them an order ID and ask them to cancel, they will not check whether this order ID belongs to you or not, they will directly cancel and share the order details with you. I found this vulnerability on a very popular website.
Steps To Perform Attack
Go to the chat support moduleInitiate the chat and send the order ID and ask them to cancel the order or get the order details. This order detail contains lots of sensitive information like your personal address, mobile number, etc.Description of Feature:
This feature allows a user to buy the product and choose the COD option as a payment option.
Attack Scenario:
So according to application logic, if the user wants to choose the COD option for buying the product, the user has to shop a minimum of X rs amount. For example, if the user will shop for 1000 rs, then only the user is eligible for the COD option, otherwise, the user has to use the online payment option.
The reason why the company set this limit for the COD, is because every time we choose the COD method, the merchant has to pay some amount to the delivery boy.
So as attackers, we will shop for less than 1000 rs, and place the order with the COD option.
Steps To Perform Attack
Go to the website and select the product worth less than 1000 rs.Choose any online payment option and capture the request.In the post body, their payment_type parameter will get passed, which value, will indicate which kind of payment method we have chosen, for example, if it’s showing 1, which means we have chosen PhonePe as a payment option, in the same way, there is one value, which indicates we have to choose COD as a payment method.We will replace the payment_type value with the COD value and the order will get placed with the COD option.Description of Feature:
The application has a feature to add a certain amount to your account and use a coupon code and you will get cashback.
Attack Scenario:
Let’s take an example, the application is giving 10% cashback for adding 500 rs. So as an attacker what we can do is here, we will use the same coupon code for adding less than 500 amounts and get the 10% discount.
Steps To Perform Attack
Log in to the application and go to add money module.Add 500 rs money and get a 30% discount.Enter 50 rs and apply the given coupon code and capture the given HTTP request.Description of Feature:
This is an online application, where you can buy the product and you will get a scratch card, and you will get some cashback via scratching the card.
Attack Scenario:
The application has the feature to scratch the card and get money. Due to improper handling of tasks in a specific sequence of times, an attacker can get 3 Times money from a single scratch card.
Steps To Perform Attack
Scratch the card and capture the request in the burp suite.Send this request to the turbo intruder / IntruderStart the attack and you will get 3 times the money from one single scratch card.Description of Feature:
The application provides the x % discount if you shop for a certain amount, for example 10% discount if you shop for 2000 rs.
Attack Scenario:
In this scenario, an attacker can shop for 2000 rs and once the attacker will receive all products, the attacker will return some products and get the advantage of the discount on other products.
Steps To Perform Attack
Log in to the application.Shop for 3 products worth rs 3900 rs. and use the coupon code “XYZ” and now this coupon code gives you a discount on each product individually worth rs 300 on each product. So each product price is 1000 rs after discount.The attacker received 3 of the orders.Now attacker returns the two products and kept only one product.So that attacker can buy one product worth rs 1000(Gets 300 rs discount) and the remaining two products money he will get to return in his account.This is how the attacker can use coupon code discounts without purchasing a certain amount of purchase required for the coupon code.Description of Feature::
This application is an online shopping website, where you can buy the product and in-house employees get an option to purchase the product for free.
Attack Scenario:
The application has an option that employees of that organization can buy the product for free. This option is only available to that organization’s employees, other users can’t buy the product for free. As an attacker will buy the product for free.
Steps To Perform Attack:
Analyze the JS files and look for endpoints like freecheckout etc.Buy any product with any option COD, Gpay, etc.Replace the API endpoint with freecheckout endpoint.In the post-body data, there is one parameter, which indicates what kind of payment option you have chosen for example COD, etc.Brute the value of that parameter and you will get a valid parameter value for the free checkout endpoint.Forward the request and you are able to buy the product at zero cost.Description of Feature:
It’s an e-commerce website, which provides a feature to buy the products on EMI (you can buy the products by paying the amount in monthly installments)
Attack Scenario:
The application has a feature to buy the product with the EMI option. If we are choosing the EMI option, the user has to pay 12% interest on that. Improper checks on the backend, allow an attacker to tamper with the interest rate, for example, if the interest rate is 12%, the attacker can make it 1 %, which is a huge financial loss for that organization.
Steps To Perform Attack
Select the product and choose the option EMICapture the request and observe that there is one parameter passing called “Interest Rate” whose value is 12 %, change is to 1% or 0.Forward the request, now every month the attacker has to only pay 1% interest, instead of 12%.Description of Feature:
This is an e-commerce kind of application , where you can add multiple products and buy the products together.
Attack Scenario:
The application has a feature of adding the multiple product in the cart, as an attacker will add one product with negative quantity value, and add other products , so overall price gets decrease (-Quantity*Price + Quantity*Price=Less Price)
Steps To Perform Attack
Go to the application and add the product to the cart and capture the HTTP request.Add negative symbol in quantity parameter and forward the requestAdd more products and buy the productsE-commerce apps are prone to security risks because they handle financial transactions and store personal data. Users trust these platforms with their money and information, so any breach can harm their confidence and the company’s reputation. Protecting e-commerce apps is vital for maintaining user trust and company credibility.
Vaishali Nagori, working as Senior Security Researcher at FEV India. she has dedicated her expertise to assisting CISOs, Security Professionals, and Developers in ensuring the end-to-end security of their organisation. Vaishali specializes in conducting comprehensive security assessments of Web Applications, APIs, Android, and iOS.
DID YOU ENJOY THE BLOG??? IF SO, THEN LET ME KNOW BY LEAVING A COMMENT HERE AND GIVING CLAP……..
And Do you know in medium if you really like someones blog you can almost give 50 claps…….
Reviews are the lifeblood of independent authors. Even a few words
and a rating, would mean a lot to me