.png)
2 months ago
27 BOOK THIS SPACE FOR AD
ARTICLE ADPlatform: Yogosha private program
Severity: Medium
Reward: €450
Bug Type: Business Logic Flaw
Company name and screenshots will not be disclosed , because its a private program “obviously “.
Description:
While Hunting and staying up night to get lucky through Yogosha, I came across a bug in the discount calculation mechanism in regard to the payment of users. In this bug, users will be in a position to receive an extra discount while purchasing items. Which can lead to some financial loss for the company and benefit malicious users by unfair means.
The company uses a system to provide discounts to the customers upon meeting certain criteria; this can include using a promotion code, customer loyalty points, among others. In any case, I could always bypass the application logic and stack discounts over and above the limits set by the designers.
How to Reproduce …
Initial Purchase: Log in into my account on the website of the company and add several items in the shopping cart, amounting to €200.
Apply Discount Code: I applied a valid 20% discount code provided by the company for some promotional activity. The expected total price was indeed reflected at €160.
Business Logic Manipulation: The application did not check for the proper stacking of multiple discounts with the use of the discount feature. Therefore, I was able to get an larger discount than expected by doing the following steps:
I added another discount code, which was actually to be given to only a certain category- “Books Only — 15% Off”.
The application gave this discount on the whole order, not on the category it was supposed to be given to, resulting in the total of €136 instead of €160–15%.
Bypass Checkout Validations: Further testing showed that, by directly manipulating the discount field in the client-side payload sent to the server, using browser developer tools, I can inject multiple discount codes simultaneously. The server did not appropriately validate these changes and recalculated the total price down to an excessively low amount.
Final Payment: I used many discounts and went to checkout. The final price, however, was € 90 whereas it should have been € 160.
Expected Behaviour
The system should not allow more than one code per transaction or at least check that the combined discounts will not exceed a certain limit predefined. Also, category-specific discounts should apply to only the eligible items in the cart.
Actual Behaviour
Because of the lack of server-side validation, it is possible to stack more than the intended number of discounts via the application. Also, category-wide discounts are applied wrongly to the ‘entire cart’.
Potential Impact
An attacker could use an exploit to obtain merchandise at considerably lower prices. This may lead to loss of revenue for the company. If the flaw were to be automated for bulk purchases, it could lead to even greater financial damage.
TIME TO CASH OUT!!!
Recommendations
Add server-side validation to ensure:
Only one coupon code can be utilized per transaction!!!!!
Category-specific discounts will only apply to the items that are included in that category.
The maximum discount cannot exceed a certain percentage threshold value.
Validate the input data at the beginning to prevent malicious usages of coupon code at the client side.
Do logging in server side for suspicious tries about coupon stacking.
Bengali (Bangladesh) · 
English (United States) ·