Buy Anything for $0 by Easy Parameter Tampering
How I hack into Sri Lankan’s most used e-commerce web site
This article is primarily to make awareness and educate regarding the parameter tempering issues in e-commerce web applications. Owners of the application used in this article is aware of this issue. But I dont think they still have fixed the issue( So I’m not mentioning the name of the site)
Parameter tampering can be done easily with or without a help of secondary tools. Lookup more detail information regarding this vulnerability from the OWASP Attacks page.
let’s take a look on how this can be applied in real applications. By only using the Burp Suite and temper the most important variable ‘AMOUNT’ to buy products for almost free.
Go to the Application and pick items your interested in buying and go up to the payment page. Intercept the last payment request before it go into the payment gateways. Change the value in the Amount to $0
Forward the request once it is changed, you can immediately notice the amount change on the UI level.
Basket will show the original amount, but the order total value has been changed to $0.01 dollars.
once this is shown the amount you will be charge is the changed value since the backend of the application will not verify the price.
Most important part in an E-commerce application is where you charge the customers. Having a simple and basic parameter tempering issues need to be fixed as soon as its notified instead of pushing back.
