Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability

INTRODUCTION

Hello guys, I hope you all are doing good during this Pandemic. A little introduction about me, My name is Talat Mehmood and I’m an active bounty hunter, Freelancer and Penetration tester since 2017.

This is one of my favorite vulnerabilities that I’ve identified throughout my career in Information Security as Penetration Tester so I thought I should write an article about it to help the community.

“Price manipulation is a type of Parameter tampering vulnerability where an attack can change the price of a placed order. This vulnerability is common in eCommerce websites”

What made this vulnerability so special is that I had to crack the Hash key or Anti Parameter Tampering Token first to execute my attack. So here’s what happened.

Let’s just say the application was vulnsite.com
After traversing the application and analyzing every API request, I found an interesting request that had price of my order in it:

Figure 1: Request Vulnerable to Price Manipulation

For 500 points, I could buy a card of value $100.
I’d change any of these values and report this vulnerability. Simple, right? That’s what I thought, but when I tried tweaking the parameters, server responded with “Invalid Request” :|

I realized it was this “secret_key” that was acting as Anti parameter tampering token which I had to crack first. Since it is generated from browser, there must be a js code that generates it. So I started searching it in all included js files. After hours of searching I finally found the js file and the naughty js function that generated this token.

Figure 2: JS code to generate token

From the above function, I identified that token is generated in 3 steps,
1. Request body is converted into string using JSON Stringify function.
2. The string is then converted into SHA256 Hash.
3. The hash is encoded via Base64 encoding.

At this point, I was able to generate my own token and The server was responding correctly to it. YAY :D

But now after manipulating the card value (i.e. 500 points for $200 card value), server responded with Response Code: 422 (Unprocessable Entity).

Without losing hope, I found another interesting parameter in the request “current_exchange_rate=1”. Since the original ratio was 500 pt to $100 value, I changed current_exchange_rate from 1 to 0.5 and card value from $100 to $200. and BINGO!! I successfully, manipulated the price of card !! xD

CONCLUSION:

1. Always tweak with all the parameters in the request.
2. If a token is generated on client-side, you can always try to crack it.
3. Determination is the key! Never give up too early.