So, welcome back to my another write-up. This is so late because of my college exam so without wasting your time let’s dig into this another price manipulation or price tempering vulnerability.

Tampering? What is tampering?

Parameter tampering is a web-based, business logic attack. It involves the manipulation of the parameters exchanged between client and server credentials, permissions, price, the number of products, etc.

How online payment works?

1. The customer decided which product to purchase from the e-commerce website.

2. When clicking on the bottom payment the customer is redirected to the order page, enters their payment information {card information, identification, etc} and then submits the payment request.

3. The online payment provider system sends the customer’s payment request to their bank account for the bank purchase approval.

4. If the customer’s card details are valid and there are sufficient funds to complete the transaction, the customer’s bank will confirm the purchase. However, if the transaction is declined for any reason – invalid credentials or insufficient funds – then funds will not be transferred but status information will still be sent to your website.

5. The issuing bank will pass on its approval or refusal to the acquiring bank.

Now that we have a general understanding of how an e-commerce payment works, let’s explore Price Manipulation Vulnerability and look at how it can be implemented.

Time to go

One’s I’m just testing on one fitness website, we will assume the website as redacted.com. There is two plans for 1 month and for 3 month. I’m going for 3 month plan for 7 days free trial.

When I proceeded for 3 month plan and intercepted the request on burp proxy there is 3 parameters _token, plan_id and amount where the amount parameter has the value 1899 which means 1899 INR.

real price

Then I just replaced the 1899 to 1.

tempered price

forwarded the request and got 302 response.

response

Then I go to my profile and found my 7 days free diet plan is activated but there is an option to pay for your diet plan then I just clicked on Upgrade Plan.

upgrade plan

I found that there is hidden data which is forwarded to server for payment process. In this data amount is 1 as you know I changed it.

hidden data

I just forwarded this request and redirected to the payment gateway. I payed 1 INR for this diet plan and payment is successful.

payment successful
congratulations

I just contacted to this company and helped to fix this issue. I also find many vulnerability on this redacted.com and helped to fix these issue. we will discus about this on another write-up for now it’s time to go bye bye.

bye bye

Privious price Manipulation post link :https://bepractical.tech/price-manipulation-or-price-tempering/

You can visit my profile and follow me on :

Linkedin : https://www.linkedin.com/in/aakash-patel-6250/

Twitter https://twitter.com/AAKASH_6250

Youtube : https://youtube.com/channel/UCOjZF3dnFCXhZ4yUtNc7DHA