Price / Checkout Manipulation Methods
Last updated
Last updated
Test cards are valid card credentials and function as fake credit cards that don't incur any charges; that's why they should only be accepted in development environments.
However, it may be possible that these are still accepted in production
• If the product price parameter cannot be changed, change the quantity of products:
• items[1][quantity]= 1 –> 234 EUR
• items[1][quantity]= 0.1 –> 23.4 EUR
• Congratulations, you bought the order for 10% of the price!
Try to add an item to your basket with:
A negative quantity
A decimal quantity
And a quantity set to 0
Observe any changes to the final order price
Add 2 products to the basket – let’s consider a single product is $40
If the request is processed in this way: {“items”:{“laptop”:1,”mobile”:1}}
Change the JSON body to: {“items”:{“laptop”:4,”mobile”:-2}}
The cost will become $20 for 2 items: 4 * $40 – 2 * $70 = $160 – $140 = $20
Select any item to purchase
Select PayPal as a payment method, intercept all the requests
Until you got a parameter called ‘amount’ from PayPal
Manipulate with the price and change it to 0.01$
Pay, and wait for the confirmation
Redeem the same coupon multiple times
If you have multiple coupon, try COUPON1 COUPON2 COUPON1 COUPON2 etc.
Seasonal coupons (such as limited promotions, Black Fridays, etc.) are all temporary coupons. Even in this scenario, if no validation is performed on the coupon, you should be able to use coupons and discounts that were issued a few months or even years ago.
Inspect the request before payment finalization and see if you can alter the currency
The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
