.png)
1 day ago
11 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, everyone! 👋
I’m Abhijeet Kumawat, a passionate security researcher 🕵️♂️, and today, I’m excited to share an interesting vulnerability I discovered while casually shopping online. In this blog post, I’ll break down the steps of how I exploited a Price Tampering vulnerability to purchase items worth ₹6284 for just ₹1.
🔑 Summary: By intercepting and modifying the HTTP request during checkout, I found a way to manipulate the total amount parameter (Amount=6284) to a mere ₹1. This allowed me to bypass payment validation, enabling unauthorized price modification.
Let’s dive into the step-by-step journey! 🚀
It all started while I was browsing on Shopping.com. After adding items worth ₹6284 to my cart, I had an idea:
💡 “Can I manipulate the checkout process to reduce the price?”
As a security researcher, I couldn’t resist testing the website for vulnerabilities.
To begin the security assessment, I prepared my tools:
Burp Suite: A popular web application testing tool to intercept and analyze HTTP requests.Browser: To interact with the website naturally.Configured Burp Suite: I set up Burp Suite to capture all HTTP traffic between my browser and the website.Added Items to the Cart: I added my desired products to the cart, and the total cost came to ₹6284.Enabled Interception: I turned on Burp Suite’s intercept feature to capture the checkout request.Once I clicked on the Checkout button, Burp Suite intercepted the HTTP request being sent to the server. Here’s what I noticed:
🔍 The Amount parameter represented the total cost of the items in my cart.
With the captured request in hand, I began experimenting:
Changed the Amount: I replaced Amount=6284 with Amount=1.Forwarded the Modified Request: After editing the request, I forwarded it to the server.Disabled Interception: I turned off intercep to observe the changes on the website.After modifying the request, I was redirected to the order confirmation page. Here’s what I discovered:
💡 The total amount displayed on the website was now ₹1.
I proceeded to complete the payment of ₹1, and to my surprise, the transaction was successful. The website allowed me to place an order worth ₹5482 for just ₹1.
This vulnerability existed because the website lacked proper server-side validation for critical parameters like Amount. The server trusted the client’s input without verifying it against the database.
Such vulnerabilities can have significant consequences:
Financial Loss: Attackers can purchase items at manipulated prices, leading to revenue losses.Brand Damage: A breach of this nature can harm the company’s reputation.Compliance Violations: Insecure handling of payment data violates standards like PCI DSS.To prevent such vulnerabilities, developers must:
Implement Server-Side Validation: Always verify critical parameters, such as Amount, on the server.Use Cryptographic Tokens: Protect sensitive parameters with digital signatures or checksums to ensure integrity.Validate Payments with the Gateway: Always confirm the final amount with the payment gateway before processing.This experience reinforces the importance of server-side validation in protecting sensitive parameters. For fellow researchers, always report such vulnerabilities responsibly and contribute to making the internet a safer place.
If you enjoyed this writeup, feel free to share your thoughts in the comments or connect with me on LinkedIn. Together, we can make the web more secure! 🌐
Bengali (Bangladesh) · 
English (United States) ·