Securing Online Payments: Fatora Vulnerability PoCs

By /

Listen to this Post

Founder @ScriptJacker and security researcher Parth Narula successfully secured Fatora online payments (فاتورة) and was listed in their Hall of Fame. The disclosed vulnerabilities highlight critical security flaws in payment systems.

Vulnerability PoCs: https://lnkd.in/gwvPV3-M

You Should Know:

1. Testing Payment Gateways for Vulnerabilities

Payment systems are high-value targets. Test for:

  • Insecure Direct Object References (IDOR)
  • Broken Authentication
  • SQL Injection
  • Cross-Site Request Forgery (CSRF)

Example Commands:

 Check for SQLi using SQLmap 
sqlmap -u "https://target.com/payment?id=1" --risk=3 --level=5

Test for CSRF with curl 
curl -X POST -d "amount=1000&account=attacker" https://target.com/transfer --cookie "session=LEGIT_SESSION"

2. Analyzing API Security in Payment Systems

Many payment platforms rely on APIs. Use Burp Suite or Postman to intercept and manipulate requests.

Example:

 Intercept API request with Burp and modify JSON 
{ 
"amount": "1000", 
"recipient": "attacker_account", 
"token": "BYPASS_ME" 
}

3. Bypassing Payment Validation

Test if client-side checks can be bypassed:

// Tamper with JavaScript validation in DevTools 
document.getElementById("price").value = "0.01";

4. Hall of Fame Recon

Companies with Hall of Fame pages often have recurring flaws. Use: 

 Wayback Machine for historical vulnerabilities 
waybackurls target.com | grep "payment|api|v1"

What Undercode Say:

Securing payment systems requires thorough testing of APIs, business logic flaws, and client-side manipulations. Tools like Burp Suite, SQLmap, and OWASP ZAP are essential. Always test:
– Parameter tampering (?price=0)
– JWT/Token manipulation
– Race conditions in transaction processing

Linux Command for Log Analysis:

grep "POST /payment" /var/log/nginx/access.log | awk '{print $1, $7}'

Windows Command for Network Monitoring:

Get-NetTCPConnection -State Established | Where-Object {$_.RemotePort -eq 443}

Expected Output:

A secure payment system with no IDOR, CSRF, or SQLi vulnerabilities, ensuring safe transactions.

For more security research, follow Parth Narula’s work on ScriptJacker.

References:

Reported By: Parth Narula – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: