s

Let’s look at how a small mistake in an online store for cars can lead to big financial problems.

I was invited to test a popular Motors site. The company wanted to find bugs that could harm their business. One issue I found was Business Logic vulnerability.

Issue Summary:

Parameter tampering involves changing user inputs to alter data like product quantities. This data is usually sent in hidden fields or POST requests. In this case, I found a price manipulation bug that’s common in many online shopping carts.

For privacy, we’ll call the site c.com. The main problem was that they forgot to set a minimum limit for product quantities. This allowed users to enter negative numbers, which could reduce the total cart value to a negative amount.

Impact:

This vulnerability could let users buy items at very low prices, leading to financial loss for the company. By adding negative quantities, the cart total becomes incorrect.

Steps to Reproduce:

Visit c.com: Select a product, add it to the cart, and intercept the request using a tool like Burp Suite. Change the quantity to any negative number.add to cart requestAdd more items: to balance the cart. Try to make the total price as low as possible by adding more items to cart.Final Total: 1,197$ instead of 34,785$ then complete the purchase.Finally, the receipt was sent to my email.

Remediation:

Server-Side Validation: Make sure all validations are done on the server, not the client side.Hash Calculations: When a product is added to the cart, calculate a hash (e.g., MD5) for the request and compare it with the server to detect tampering.Input Validation: Implement strict checks for input values to prevent negative quantities.