.png)
6 months ago
39 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey there, hackers!
In this article, I’m going to spill the beans on my latest pentesting adventure with my friend Hx0_0h4nf1 on a private book-selling website, x.com. I stumbled upon a Business logic bug that lets me buy any number of books for the grand total of $0. Ready to dive into the chaos? Let’s go!
As usual, I started by checking for any of the OWASP Top 10 bugs like CSRF, SQLi, and others, but I didn’t find anything. So, I decided to look for logic bugs because they tend to pop up everywhere. I thought, “Let’s buy some books and see if there’s an IDOR or something else.” But before that, I took a closer look at the parameters, and that’s when I struck gold!
When I played around with the parameters items[...][qty]=1&items[...][price]=250&items[...][amount]=250, it didn’t work, and the price didn't change.
I didn’t give up and decided to think of a different technique. First, I reviewed my previous notes on similar scenarios. After that, I decided to search for hidden parameters that the developer might have thought were safe simply because they were hidden.
I found 11 hidden parameters on the page that requests the order, but I had already played with all of them except one shipping_fees. This parameter added shipping fees to the total price. What if I play around with it?
And boom! It happened — I found a logic bug that allows me to buy any number of books for $0.
And finally,
Bengali (Bangladesh) · 
English (United States) ·