Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability

INTRODUCTION

This is one of my favorite vulnerabilities that I’ve identified throughout my career in Information Security as Penetration Tester so I thought I should write an article about it to help the community.

“Price manipulation is a type of Parameter tampering vulnerability where an attack can change the price of a placed order. This vulnerability is common in eCommerce websites”

What made this vulnerability so special is that I had to crack the Hash key or Anti Parameter Tampering Token first to execute my attack. So here’s what happened.

Let’s just say the application was vulnsite.com
After traversing the application and analyzing every API request, I found an interesting request that had price of my order in it:

Figure 1: Request Vulnerable to Price Manipulation

For 500 points, I could buy a card of value $100.
I’d change any of these values and report this vulnerability. Simple, right? That’s what I thought, but when I tried tweaking the parameters, server responded with “Invalid Request :|

I realized it was this “secret_key” that was acting as Anti parameter tampering token which I had to crack first. Since it is generated from browser, there must be a js code that generates it. So I started searching it in all included js files. After hours of searching I finally found the js file and the naughty js function that generated this token.

Figure 2: JS code to generate token

From the above function, I identified that token is generated in 3 steps,
1. Request body is converted into string using JSON Stringify function.
2. The string is then converted into SHA256 Hash.
3. The hash is encoded via Base64 encoding.

At this point, I was able to generate my own token and The server was responding correctly to it. YAY :D

But now after manipulating the card value (i.e. 500 points for $200 card value), server responded with Response Code: 422 (Unprocessable Entity).

Without losing hope, I found another interesting parameter in the request “current_exchange_rate=1”. Since the original ratio was 500 pt to $100 value, I changed current_exchange_rate from 1 to 0.5 and card value from $100 to $200. and BINGO!! I successfully, manipulated the price of card !! xD

CONCLUSION:

  1. If a token is generated on client-side, you can always try to crack it.
  2. Determination is the key! Never give up too early.

Ethical Hacker | Bug Bounty Hunter | Freelancer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store