Parameter Tampering ₹→$

Hell0 W0rld,

First, What is the Parameter Tampering?

As the name suggests Parameter Tampering is the tampering or manipulation of a parameter that is exchanged between the client and server through HTTP requests and responses, parameters carry information such as currency type, country code, price, permission, etc. which are used to increase the functionality of a website and to modify application data.

Simply put parameters carry specific data to-and-fro client and server and if a manipulated data is sent to the server and the server did not verify that data or process it securely it can cause an application to be manipulated in a malicious manner, this is known as Parameter Tampering Attack.

Now straight to the vulnerability,

I was specifically looking for parameter tampering vulnerabilities on a sports-based e-commerce website using burp suite. I was trying basic amount manipulation by changing the amount of money, but it didn’t work as there were some verifications at the backend which keep correcting the amount on checkout.

So I tried changing the currency parameter from INR to USD which changed the checkout amount from INR(Indian Rupees) to its USD(US dollar) equivalent but -

-it did not changed the currency-type from INR to USD at checkout i.e., on checkout it was still showing ₹ INR instead of $ USD but with the manipulated USD equivalent price of that product and I was able to check out with manipulated price.

I reported this bug they fixed it and it got accepted under P3. Hope you people find this writeup informative any feedback is welcomed.

🙏