Critical Price Manipulation Vulnerability in Thanthi ePaper Website

A critical price manipulation vulnerability was discovered on the Thanthi ePaper (epaper.dailythanthi.com) website, allowing unauthorized access to paid content by modifying client-side parameters. Attackers can alter subscription prices using tools like Burp Suite, bypassing payment validation and gaining premium access at a fraction of the actual cost.

Vulnerability Details:

• Type: Price Manipulation via Client-Side Parameter Tampering
• Impact: Unauthorized access to paid content, leading to significant revenue loss for the company.
• Example: A ₹100 subscription could be manipulated to ₹10 or even ₹1.

You Should Know:

How Attackers Exploit Price Manipulation:

1. Intercepting Requests with Burp Suite:

• Configure browser proxy settings to route traffic through Burp Suite.
• Capture the payment request when a user attempts to subscribe.
• Modify the price parameter (e.g., `”price”:100` → "price":1).

2. Bypassing Client-Side Validation:

• Many websites rely on frontend validation, which can be bypassed by altering HTTP requests.
• Always enforce server-side validation for transactions.

3. Exploiting Weak API Security:

• If the API does not verify price consistency, attackers can manipulate JSON/XML payloads.

Mitigation Steps for Developers:

• Server-Side Price Validation:

  Django Example 
  from django.core.exceptions import ValidationError </li>
  </ul>
  
  def validate_payment(request): 
  submitted_price = request.POST.get('price') 
  actual_price = get_actual_price(request.service) 
  if float(submitted_price) != actual_price: 
  raise ValidationError("Price manipulation detected!") 
  

  • Secure API Endpoints:

    Use JWT or HMAC for request integrity 
    curl -X POST https://api.epaper.com/subscribe \ 
    -H "Authorization: Bearer <JWT_TOKEN>" \ 
    -H "X-HMAC-Signature: <SIGNED_PAYLOAD>" \ 
    -d '{"price":100, "user_id":"123"}' 
    

  • Logging & Monitoring Suspicious Activity:

    Linux command to monitor HTTP logs for price changes 
    tail -f /var/log/nginx/access.log | grep "POST /payment" 
    

  What Undercode Say:

  This vulnerability highlights the dangers of trusting client-side inputs. Enterprises must enforce server-side checks, sign API requests, and monitor abnormal transactions.

  Additional Security Commands & Tools:

  • Burp Suite Alternative (CLI):

    mitmproxy --mode transparent --showhost 
    

  • Check for Open Vulnerabilities:

    nmap -sV --script=http-vuln epaper.dailythanthi.com 
    

  • Prevent Parameter Tampering with WAF Rules (ModSecurity):

    SecRule ARGS:price "@gt 100" "id:1001,deny,msg:'Price tampering detected'" 
    

  Expected Output:

  A secure payment system that logs and blocks unauthorized price modifications, ensuring only validated transactions proceed.

  URLs:

  • Thanthi ePaper
  • Burp Suite
  • OWASP Price Manipulation

  References:

  Reported By: Suryacode I – Hackers Feeds
  Extra Hub: Undercode MoN
  Basic Verification: Pass ✅

  Join Our Cyber World:

  💬 Whatsapp | 💬 Telegram