Price Manipulation Vulnerability: Potential Exploitation in Dating Website

Hello Hackers, Welcome back with another vulnerability.

As its name implies, parameter The act of tampering is the modification or tampering with a parameter that is exchanged between the client and server through HTTP requests and responses. Parameters carry information such as currency type, country code, price, permission, etc. that are used to improve a website’s functionality and change application data.

Simply said, parameters transfer particular data back and forth between the client and the server. If altered data is given to the server without being verified or processed securely by the server, this can lead to malicious manipulation of an application, which is known as a parameter tampering attack.

This flaw was discovered by me through a private bug bounty. So, I won’t share the application’s name. 😐

When I go through the application I discovered that the application allows me to access additional features by purchasing a subscription. So, I began searching for a parameter for tempered vulnerability. After some time, I realise that an HTTP request includes a price parameter for purchases. I just changed the real price parameter to one and sent the request, And I notice that the only membership fee I have to pay is one rupee.

Now Let’s look for POC:

The image shows the buy membership functionality on application.

This image shows the actual price of membership.

This image shows the captured request with original price parameter.

This image shows the manipulated request on price paramter.

This image shows the successful manipulated price on payment application.

This image shows successful executed payment on payment application.

I really hope that this article was instructive; any comments would be appreciated.