How a simple manipulation let me buy anything for free?
Hello guys, as you all know my name is Mayank Garg and this is my second blog on my medium. This is not any kind of a write-up or a walkthrough like in my first blog. Rather, this is about a bug I found, exploiting which I could buy anything from that website for completely free.
Heads up, I didn’t buy anything from that website because of the 2 reasons. First, it was not looking promising at all. Second reason is being ethical. LMAO. Only the first reason stopped me from buying. I didn’t send them the report for the very same reason.
If I somehow forget to hide that website’s name somewhere and you find that out, or you find a similar website, do not tamper anything for your greed, but you can try that out for yourself. What I recommend is, take the learning from this blog and hunt for good.
Here we go….
I was looking for such websites where I could try my skills and found out that website. Let’s call that as example.com. Since it was a website selling some first-copy shoes, I tried what came to my mind first, Price Tampering or Parameter Tampering. I selected any random product and captured the request in my Burp.
So, I have selected a product for demonstration.
Now click on ‘ADD TO CART’. Make sure your Burp Interceptor is on. Look for the price 97.99 in the captured requests. And here we have it.
You can enter any price you want, but obviously a person will go for purchasing the product for absolutely free. So, we will modify the price parameter and we’ll enter 00.00.
Now you can forward all the requests.
So, what we have done is, we have modified the price tag and this has made the change in the server.
AND, we have successfully changed the price!
Some websites use analytics services. When you will be searching for the price in the requests, you will notice that these values are coming in the analytics requests and changing the price in those requests will not change the actual price. Reason being simple, those requests are not going to the target server.
How to keep your website secure from this?
Do not trust the value from these parameters because these can be manipulated by the users. Do a server-side validation.
If I have done some mistakes in this blog or you want to add something to this, you can reach out to me on Twitter @MayankHacks.
