How I Found Price Manipulation Twice (Detailed Write-Up & Approach)

Listen to this Post

This article delves into two cases of price manipulation discovered by a bug bounty hunter. The first case involves buying items for free by exploiting a cart quantity vulnerability, while the second case focuses on bypassing shipping fees by manipulating the system logic.

Case One: Buying Items for Free (Easy Catch)

The application allowed users to add items to the cart, adjust quantities, and proceed to checkout. The vulnerability was found in the cart quantity parameter.

Steps to Exploit:

1. Intercept Requests:

Use a proxy tool like Burp Suite to intercept requests related to cart modifications. Focus on the `quantity` parameter.

2. Test Invalid Values:

Test invalid values such as null, 0, -1, and 0.1. These attempts may fail, but they help identify how the system handles unexpected inputs.

3. Send Multiple Quantity Fields:

Send multiple `quantity` fields in the request:

{
"quantity": 1,
"quantity": 1,
"cartItem": 1234
}

4. Attempt Integer Overflow:

Test with an extremely large number:

{
"quantity": 9223372036854775808,
"cartItem": 1234
}

5. Discover the Vulnerability:

While reviewing proxy history, notice a `PUT` request with a different parameter:

{
"qty": 0.1,
"itemID": 1234
}

Setting `qty` to `0.1` resulted in the price being set to 0, allowing the purchase of items for free.

Case Two: Abusing Promo Codes for Free Shipping

The application offered free shipping to Japan but charged users from other countries. The vulnerability allowed users to bypass shipping fees.

Steps to Exploit:

1. Set Shipping Address to Japan:

Set the default shipping address to Japan to trigger free shipping.

2. Manipulate Address on Checkout:

Open multiple tabs:

  • Tab 1: Set the default address to the US.
  • Tab 2: Set the default address to Japan.
  • Tab 3: Refresh the payment page to see the shipping fee removed while the address remains set to the US.

You Should Know: