Price / Checkout Manipulation Methods

Ecommerce website exploitation

Credit Cards

Test cards are valid card credentials and function as fake credit cards that don't incur any charges; that's why they should only be accepted in development environments.

However, it may be possible that these are still accepted in production

Price Tampering

Quantity Tampering

• If the product price parameter cannot be changed, change the quantity of products:

• items[1][quantity]= 1 –> 234 EUR

• items[1][quantity]= 0.1 –> 23.4 EUR

• Congratulations, you bought the order for 10% of the price!

Try to add an item to your basket with:

A negative quantity
A decimal quantity
And a quantity set to 0

Observe any changes to the final order price

Method 2

Add 2 products to the basket – let’s consider a single product is $40
If the request is processed in this way: {“items”:{“laptop”:1,”mobile”:1}}
Change the JSON body to: {“items”:{“laptop”:4,”mobile”:-2}}
The cost will become $20 for 2 items: 4 * $40 – 2 * $70 = $160 – $140 = $20

Method 3

Select any item to purchase
Select PayPal as a payment method, intercept all the requests
Until you got a parameter called ‘amount’ from PayPal
Manipulate with the price and change it to 0.01$
Pay, and wait for the confirmation

Coupons

Fuzzing

Most Common Coupons Codes

GitHub - sbrws/FuzzCoupons: A list of common coupon codes for fuzzing checkout pages.GitHub

Race Conditions

Race Conditons

Redeem the same coupon multiple times

If you have multiple coupon, try COUPON1 COUPON2 COUPON1 COUPON2 etc.

Lack of expiration

Seasonal coupons (such as limited promotions, Black Fridays, etc.) are all temporary coupons. Even in this scenario, if no validation is performed on the coupon, you should be able to use coupons and discounts that were issued a few months or even years ago.

Currency Confusion

Inspect the request before payment finalization and see if you can alter the currency

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Resources

Hunting Down The Top 5 Most Common Price Manipulation Vulnerabilities in E-Commerce WebsitesIntigriti

PreviousHTTP Request Smuggling NextTesting Credit Cards

Last updated 7 days ago