How I was able to buy a product for free — $$$

Hi everyone, I hope you are good. It’s been a long time I haven’t write again. So in this article I will share about my finding, how I was able to get a product for free just by changed the negative value quantity number. So let’s started.

The target was an Email Infrastructure for Internet Business. There was a lot of feature you can buy such Email Automation, DKM & SPF, Landing page builder, Shuttersock images, etc. I can’t disclosed the website caused not approved by company to disclosed,so let’s call as target.com.

First off I registered to the website and then trying the reset password feature for finding a Host Header Injection or Token disclosure, but i have no lucky. So I started to find on the dashboard, I have tried find many bugs such IDOR, CSRF, XSS but no lucky again :(

Then I found the page that I can buy a product, i choose Shuttecsock Images

As you can see on image, You can buy 1 Shuttersock Premium Image for 50.000 IDR or 3.49 USD. There was a lot of payment method, i choosed Go-Pay payment method and click on Buy This Product and i got this request

You can see there was a item_qty parameter and the value 1. I just changed the value from 1 to -1 and see what happened next

The program processed that and will detected as valid order. The status will automatically changed to PAID without paying.

And then I reported this vulnerability to their team and I was awarded with a $100 bounty even though the company isn’t have a bug bounty program.

I hope you enjoyed my writeup. See you in next article.

./Logout